After Thirdweb disclosed a security vulnerability that could impact various common smart contracts utilized in the Web3 ecosystem, OpenZeppelin pinpointed two particular standards as the root cause of the issue.
On December 4, Thirdweb reported a vulnerability in a widely used open-source library that could potentially affect pre-built contracts such as DropERC20, ERC-721, ERC-1155 (across all versions), and AirdropERC20. In response, OpenZeppelin, a smart contract development platform, along with non-fungible token marketplaces like Coinbase NFT and OpenSea, proactively alerted users about the potential threat. Upon investigation, OpenZeppelin identified that the vulnerability arose from an integration involving ERC-2771 and Multicall.
The security flaw emerged following the merging of ERC-2771 and the multi-call standard. OpenZeppelin identified 13 groups of vulnerable smart contracts that could potentially be exploited. To address this issue, encryption service providers are urged to act swiftly before malicious entities exploit the vulnerability. OpenZeppelin's investigation revealed that the ERC-2771 standard allows certain call functions to be overridden, potentially enabling the extraction of sender address information and the execution of spoofed calls on their behalf.
OpenZeppelin advised the Web3 community using these integrations to follow a 4-step security approach: disable trusted forwarders, suspend contracts and revoke approvals, prepare for upgrades, and evaluate snapshot options. Additionally, Thirdweb introduced a mitigation tool that permits users to connect their wallets and verify if their contracts are vulnerable to attacks.
In response to the security concern, the decentralized finance platform Velodrome has temporarily deactivated its relay service until a new version is implemented. James Edwards, lead maintainer at cybersecurity investigator Librehash, cautioned about the risks of deploying AI-developed smart contracts in a live environment, despite the capability of AI chatbots to create contracts. Edwards emphasized AI's potential for scrutinizing smart contracts with high accuracy, surpassing expectations set by GPT-4.
Although acknowledging that AI isn't equivalent to a human auditor, Edwards suggested that it could serve as an initial step to expedite and fortify the auditor's work, enhancing its thoroughness.
