OpenZeppelin Identifies Address Spoofing Vulnerability in ERC-2771 Integration

A recent security vulnerability has been identified in the integration of ERC-2771 and Multicall standards, potentially impacting a range of smart contracts used in the Web3 ecosystem. OpenZeppelin, a smart contracts development platform, has identified the root cause of the vulnerability and is urging crypto service providers to address the issue before it can be exploited by bad actors.

The Vulnerability

On December 4th, Thirdweb discovered a vulnerability in a widely used open-source library that could impact popular pre-built contracts, including DropERC20, ERC721, ERC1155, and AirdropERC20. Further investigation by OpenZeppelin revealed that the vulnerability is a result of the integration of ERC-2771 and Multicall standards.

OpenZeppelin has identified 13 sets of vulnerable smart contracts that are affected by this integration. To prevent any potential exploits, crypto service providers are advised to take immediate action.

Addressing the Issue

OpenZeppelin has provided a 4-step method for the Web3 community to ensure the safety of their integrations:

1. Disable every trusted forwarder
2. Pause contract and revoke approvals
3. Prepare an upgrade
4. Evaluate snapshot options

In addition, Thirdweb has launched a mitigation tool that allows users to check if their contracts are vulnerable by connecting their wallets.

Industry Response

The decentralized finance (DeFi) platform Velodrome has already taken action by deactivating its Relay services until a new version is installed, ensuring the security of its users' funds.

Meanwhile, experts have highlighted the potential of artificial intelligence (AI) in auditing smart contracts and enhancing cybersecurity efforts. While AI chatbots can develop smart contracts, deploying them in a live environment is considered risky. However, AI has shown promise in vetting smart contracts, providing an unprecedented level of accuracy and speeding up the work of human auditors.

As the Web3 ecosystem continues to evolve, it is crucial for developers and service providers to stay vigilant and address vulnerabilities promptly. By taking proactive measures, the community can ensure the security and integrity of the smart contracts that underpin the digital landscape.