Identifying Vulnerabilities in Web3 Smart Contracts: OpenZeppelin’s Findings

Recently, Thirdweb revealed a security vulnerability that could potentially impact various smart contracts used across the Web3 ecosystem. OpenZeppelin, a prominent smart contracts development platform, conducted an investigation and identified two specific standards as the root cause of the threat.

The Vulnerability

On December 4th, Thirdweb reported a vulnerability in a commonly used open-source library that could affect pre-built contracts such as DropERC20, ERC721, ERC1155, and AirdropERC20. OpenZeppelin’s investigation later found that the vulnerability stemmed from the integration of two standards: ERC-2771 and Multicall.

The ERC-2771 standard allows the overriding of certain call functions, which can be exploited to extract the sender’s address information and spoof calls on their behalf. By wrapping multiple spoofed calls within a single multicall(bytes[]), an attacker can potentially exploit the vulnerability.

Identifying Vulnerable Smart Contracts

OpenZeppelin identified 13 sets of vulnerable smart contracts related to the ERC-2771 integration. It is crucial for crypto service providers to address this issue promptly to prevent bad actors from exploiting the vulnerability.

Ensuring Safety

In response to the vulnerability, OpenZeppelin advised the Web3 community to follow a 4-step method to ensure safety:

1. Disable every trusted forwarder
2. Pause contract and revoke approvals
3. Prepare an upgrade
4. Evaluate snapshot options

Mitigation Tool and Deactivation

To assist users in identifying vulnerable contracts, Thirdweb launched a mitigation tool that allows users to connect their wallets and check if a contract is affected.

In addition, the decentralized finance platform Velodrome deactivated its Relay services until a new version is installed, ensuring user safety and protection.

The Role of AI in Auditing Smart Contracts

Experts have explored the potential of artificial intelligence (AI) in auditing smart contracts and improving cybersecurity efforts. While AI chatbots have the ability to develop smart contracts, deploying them in a live environment carries risks.

However, AI technology shows promise in vetting smart contracts. Recent tests have demonstrated AI’s ability to audit contracts with an unprecedented level of accuracy, surpassing human capability in certain aspects. Although it is not as proficient as a human auditor yet, it can significantly speed up the auditing process and make it more comprehensive.

It is important to note that human audits and the expertise of developers remain crucial in ensuring the security and reliability of smart contracts.

Conclusion

The identification of vulnerabilities in smart contracts is a critical step in maintaining the security of the Web3 ecosystem. OpenZeppelin’s findings regarding the integration of ERC-2771 and Multicall standards shed light on the potential risks and provide guidance for addressing the issue. By proactively informing users and taking necessary precautions, the Web3 community can mitigate the threat and ensure the safety of smart contracts.