In an impactful announcement, renowned digital security specialist OpenZeppelin recently revealed a critical security flaw in the Ethereum blockchain. The vulnerability is associated with the integration of the ERC-2771 and Multicall token standards, triggering potentially substantial risks for users and projects involving the blockchain and cryptocurrency Ether $ETH and USD Coin $USDC.
Check out the Tweet announcing it via the official account
Image generated using Arty
The failure to merge these standards, as highlighted by OpenZeppelin, affects a wide range of smart contracts, ranging from ERC-20 tokens, common in stablecoins, to the valuable ERC-721, fundamental to NFTs. The vulnerability in question allows an "address spoofing" attack, leading to the worrying theft of 87 ETH and 17,394 USDC.
This threat was discovered on November 20th.
When OpenZeppelin was alerted by ThirdWeb, a company specializing in solutions for #web3 projects. After a quick validation, it became clear that the problem went beyond the limits of OpenZeppelin's contract library, affecting a variety of smart contracts.
To mitigate the damage, OpenZeppelin provides tools such as Code Inspector, while ThirdWeb provides a platform to verify the security of contracts implemented by its library. Crucial measures such as disabling trusted forwarders, pausing contracts and revoking permission approvals are recommended, along with preparing updates to restore affected contracts.
Responding swiftly to the crisis, OpenZeppelin has released an update to OpenZeppelin Contracts (versions 4.x and 5.x), enabling the secure use of Multicall with ERC-2771, significantly reducing the risks involved.
The ERC-2771 standard, designed for meta-transactions, allows a forwarder to act as an intermediary, ensuring that the sender's information is transmitted correctly. The Multicall standard (ERC-6357), on the other hand, allows multiple function calls in a single transaction, reducing gas costs. Unfortunately, the failure to integrate these standards has resulted in an "arbitrary address spoofing" vulnerability, allowing malicious manipulation and facilitating the theft of funds.
The Ethereum community is in a state of alert, joining forces to find solutions and updates to protect affected contracts and users. Stay tuned for guidelines and updates as the community works together to strengthen security on Ethereum in the face of this critical challenge.
Although I don't have much involvement with the Ethereum community or the token itself, I see this as a warning that even the oldest Blockchain protocols aren't completely secure. We always need to be alert to possible announcements of critical errors. I consider Ethereum to be the "mother" of altcoins. I'd like to wait until the exchange for the new Proof of Stake.
Well, now that I've thought of it, I might have some Stake for Ethereum 2.0.
Interesting to mention this, via a Tweet from rpolysec on the X platform. Reporting on the possibility of seeking help for those users who have been affected by losing funds by the Exploit, he shares the telegram of a supposed team to help him with this.
What is LeoFinance / InLeo?
A social platform where users get paid for creating, and interacting with crypto and finance content.
**Powered by the Hive Blockchain network.
| Community | Social Media | Discord |
|---|---|---|
| LeoFinance | INLEO |
Don't forget to follow me in the Hive community via this profile, I'm also present on X and Reddit. Sharing content about Art in Artificial Intelligence, financial matters in general and cryptocurrencies through #LeoFinance, as well as #Play2Earn games.