Vulnerability in Ethereum contracts is stealing cryptocurrencies, the company warns

OpenZeppelin, a blockchain security company, issued an alert on Friday (8) stating that a vulnerability in Ethereum smart contracts is stealing ETH as well as tokens and NFTs from investors.

The origin of the problem is said to be related to standard ERC-2771 tokens and the Multicall feature. Although several industry players have already been notified of the vulnerability, the company noted a theft of 84.59 ETH (R$1 million), among other smaller ones.

As a recommendation, the company asks developers to pause their contracts, prepare an upgrade and, if this is not possible, take a snapshot to import the balances into a new contract.

Users were advised to revoke permissions even if the error has already been fixed. Since the issue concerns ERC-2771 contracts, it is possible that the number of affected will be low.

The vulnerability in Ethereum is already claiming victims

The vulnerability in Ethereum contracts was discovered by Thirdweb on the 20th. However, the company spent the next few days talking to other players to resolve the issue. Last Monday (4), Thirdweb published the first public statement.

This Friday (8), OpenZeppelin revealed more details about the vulnerability, explaining how the attack works and also referring to the losses suffered by some investors.

“Any contract that implements Multicall and ERC-2771 is vulnerable to address spoofing.”

“In the context of the OpenZeppelin contract library, this is possible with Multicall and ERC2771Context”the company reports. “An attacker can wrap malicious call data in a forwarded request and use Multicall’s delegation call feature to manipulate the _msgSender() resolution in subcalls.”

How hackers exploit the vulnerability in Ethereum contracts.  Source: OpenZeppelin.
How hackers exploit the vulnerability in Ethereum contracts. Source: OpenZeppelin.

As for losses, one user lost 84.59 ETH (R$1 million). Subsequently, smaller losses appear, including 17,394 USDC (R$85,400) and values ​​in between 0.29 ETH and 1.06 ETHequal to R$3,380 and R$12,359respectively.

Company gives recommendations to developers

Finally, the company cites a series of recommendations for developers and users to mitigate the vulnerability. In addition to stealing cryptocurrencies, hackers can also access the smart contract functionality.

“The recommended mitigation steps depend on the agency’s details. Before taking action, assess whether the vulnerability has spread to positions with access to other critical roles.”

  • Disable all trusted forwarders (if possible)
  • Pause your contract (if possible)
  • Ask your users to remove any approvals from their contracts (if relevant)
  • Prepare an update (if possible)
  • Evaluate snapshot options

Finally, the vulnerability must reach a minimum number of people because it is very specific. Anyway, if you are a hardcore cryptocurrency user, you better check your wallet. At the time of writing, Ether (ETH) is up 3.7% daily and is trading at $2,380.

Source: Live Coins