ERC-1155 Fractional Vault Bug Postmortem [No Incidents π]
Gm Fractional Fam π βοΈ
We work every day to earn and maintain the trust people have in the fractional ecosystem and deeply value transparency with the community!
We wanted to provide a quick write-up about a bug one of our most security-minded smart contract devs discovered in the new ERC-1155 contract that we quietly-launched in Q4 2021.
You mightβve noticed we disabled the ERC-1155 feature recently, and now we can finally disclose why, and what we fixed to remove a risk it had introduced.
We made it very clear to anyone who chose to fractionalize their piece that this was an unaudited smart contract and they assumed the risk, but never the less we will do better going forward and take this very seriously.
Most importantly, we are thankful that no one abused this bug before we caught it, and no vaults were rugged!
TL;DR
- We released an unaudited smart contract to mainnet (ERC-1155 fractions)
- We discovered a bug after a couple weeks already in production
- We proactively minimized any impacts on the select few vaulters and collectors at risk who interacted with the contract
- We fixed the bug and learned our lesson
Who Was At Risk?
For >99% of you, you were not at risk at all and this is simple a reminder of the typical risks associated with using unaudited smart contracts!
For the <1% who were at risk (having either created or bought an 1155 fraction) we took the right steps to protect you, eliminate the risk, and minimize overall impact π
The Bug
Since existing ERC-20 fractional vaults have been having ETH, ERC-20s, and other NFTs accidentally sent to them, we added a community-requested feature for the buyout auction winner to claim all token types in the vault. The unintended consequence was this introduced an ability to claim back all the ETH which they used to win the auction.
This meant a malicious buyer could have bought out a vault and then claimed back all the ETH they used for the buyout, which is obviously bad.
Steps We Took To Make Things Right
We quietly contacted the few vaulters who fractionalized high-value NFTs, notified them of this issue, effectively bought out their vaults to close them, and returned their NFTs to them in exchange for the ETH we used to buy the vaults out.
The Bug Fix
We have updated the vaults so that any ETH sent to directly to the vault is not claimable by the winner, but instead claimable pro-rata by the fractional owners at the time when they can claim the ETH resulting from a buyout.
Wrap-up
For ERC-1155 Fractional owners of β¦
β¦ the vaults have already been bought out and closed, so you can click on the associated hyperlinks above to visit the vault page to cash out your ERC-1155 Fractions for the winning ETH.
Once again, we take this misstep very seriously and will continue to improve our internal processes to do everything we can to avoid something like this happening again in the future.
If you have any questions, please join us on Discord and ask away!
Disclaimer: The Fractional Token Company, its officers, team, and community representatives are not registered financial advisors. All opinions shared on Twitter, Discord, or through other public channels are those of the respective individuals alone. Fractions (fractional ownership tokens) are solely intended to increase participant access to collectable, provable ownership of digital art and their respective communities. Fractional does not condone the creation, buying, or selling fractions as a means of investment. The Fractional Token Company is not responsible for how curators choose to market their NFTs. Similarly, The Fractional Token Company does not create, handle, or manage the intermediary platforms, or networks through which fractions can be transferred, sold, or purchased. Publications from Fractional.art are solely for information and entertainment purposes only. Please consult and work directly with tax, legal, financial, and investment professionals before making any fractional creation, transferring, and purchasing decisions
