The pseudonymous co-founder of the DeFi data aggregator platform DefiLlama, shed light on vulnerabilities that could erase all the NFTs minted using the Foundation’s contract.
In the Web3 industry, most projects have open-sourced code, allowing other developers to view the source code of various platforms. This also enables other developers to contribute to the project and flag certain vulnerabilities or bugs.
Foundation NFTs Two Transactions Away From Being Destroyed?
0xngmi, the anon co-founder of DefiLlama, wrote a Twitter thread highlighting an exploit in Foundation’s non-fungible token (NFT) contracts. Foundation is a platform that allows the creation and trading of NFTs
While NFTs are supposed to be immutable, 0xngmi argues that the NFTs minted using Foundation’s contracts “are just two transactions away from being destroyed.”
Source: Twitter
0xngmi Explains Vulnerability
According to 0xngmi, NFTs minted on Foundation utilize a common smart contract for saving gas fees. Moreover, Foundation has a feature that allows contract owners to destroy it if it has no NFTs.
Hence, if the Foundation team or certain bad actors destroy this common contract, all the collection contracts might stop working.
Source: Twitter
Two-out-of-six multi-sig protects the common smart contract. If any two keys get exposed to hackers, they could hold the NFTs for ransom or destroy them.
0xngmi further reveals that he reported the exploit six months ago, but the Foundation team did not update him. Additionally, they asked for 0xngmi’s ‘know your customer” (KYC) detail that might reveal the identity of the anonymous co-founder.
Source: Twitter
Lastly, the CTO of the Foundation replied to the thread on Thursday, updating the situation. He wrote:
“This has been fixed for contracts deployed before 3/6.
Contracts deployed after 3/6 were already safe – the owner of the implementation contract was set to 0, and the contract could not have been self-destructed [sic].”
BeInCrypto has reached out to Foundation but has yet to receive a reply.
The white hat activities or reporting vulnerabilities to the project secures the Web3 ecosystem for its users. In 2022, white hat hackers saved over $20 billion by reporting the vulnerabilities, giving the projects a chance to fix them.