The pseudonymous co-founder of DeFi data aggregation platform DefiLlama, shed light on vulnerabilities that could wipe out all NFTs struck with the Foundation’s contract.
In the Web3 industry, most projects have open source code, which allows other developers to view source code from different platforms. This also allows other developers to contribute to the project and report certain vulnerabilities or bugs.
Stichting NFT’s Two transactions away from destruction?
0xngmi, the anon co-founder of DefiLlama, wrote a Twitter thread highlighting an exploit in the Foundation’s non-fungible token (NFT) contracts. Foundation is a platform that facilitates the creation and trading of NFTs
While NFTs are supposed to be immutable, 0xngmi states that the NFTs minted using the Foundation’s contracts are “only two trades away from destruction”.
Source: Twitter
0xngmi explains vulnerability
According to 0xngmi, NFTs minted on Foundation use a common smart contract to save on gas costs. In addition, Foundation has a feature that allows contract owners to destroy it if it has no NFTs.
So if the Foundation’s team or certain malicious parties destroy this common contract, all collection contracts may stop working.
Source: Twitter
Two-out-of-six multi-sig protects the common smart contract. If two keys are exposed to hackers, they can hold the NFTs for ransom or destroy them.
0xngmi further reveals that he reported the exploit six months ago, but the Foundation team has not updated it. In addition, they asked for 0xngmi’s “know your customer” (KYC) data that could reveal the identity of the anonymous co-founder.
Source: Twitter
Finally, the Foundation’s CTO responded to the thread on Thursday and updated the situation. He wrote:
“This has been fixed for contracts rolled out before 6/3.
Contracts deployed after 3/6 were already safe – the deployment contract owner was set to 0 and the contract could not self-destruct [sic].”
BeInCrypto has contacted the Foundation, but has not yet received a response.
The white hat activities or reporting vulnerabilities to the project secures the Web3 ecosystem for its users. By 2022, white hat hackers saved more than $20 billion by reporting the vulnerabilities, giving the projects a chance to fix them.