Thirdweb ERC2771 Security Incident
The MoonCatRescue project was founded upon ideals of exploring technical possibilities and as the NFT ecosystem has expanded with many other projects, one facet that sets the MoonCatRescue project apart is continuing to educate on the technical nuances in an approachable way, leading to a community of very savvy members. That’s one of the many reasons MoonCats continue to thrive even in a downturn market.
Being savvy in the Web3 space is a wise move for end-users, where it can sometimes feel like the Wild West in that there’s a higher likelihood of needing to defend yourself from a bad actor. So, let’s take a moment and learn more about one of the recent technical issues that made some waves in the blockchain. We thank our MoonCat community members who brought this to our attention, including crane on our Discord server.
The Disclosure
On December 4 2023, thirdweb announced a vulnerability in their platform’s custom contracts. The end result is the MoonCatRescue smart contracts were unaffected, but understanding why they’re not affected is good practice for self-defense, and since most Web3 users interact with multiple projects, it’s good to self-evaluate all the projects you interact with, to tell if you should share this information with other maintainers too.
In thirdweb’s first announcement, they mention that the vulnerability is in a “commonly used open-source library” but didn’t name which one.
Within the MoonCatRescue ecosystem, the original MoonCatRescue contract, MoonCatNameService, MoonCatMoments, MoonCat Accessories, and the JumpPort reference no third-party library logic, so from just that initial disclosure, those applications are likely unaffected.
However MoonCatPop, Acclimated MoonCats, and the old wrapper use some OpenZeppelin third-party libraries for logic. And even though the previous smart contracts don’t directly use a third-party library, portions of the MoonCat Accessories contract and JumpPort were inspired by OpenZeppelin libraries, so knowing more about what the “open-source library” did that lead to an issue should be evaluated against what logic those smart contracts are trying to accomplish.
OpenZeppelin did post the following day (December 5) indicating they were contacted by thirdweb, but that the issue is not “particular to the implementations” OpenZeppelin distributed. But that leaves it ambiguous if they’re not the “commonly used open-source library” thirdweb was referring to, or if they were who thirdweb was referring to but it wasn’t a single library that was the issue?
OpenZeppelin clarified on December 7 with a blog post, which indicated the issue was identified as a combination of two individual standards interacting with each other in a bad way.
Affect on MoonCats
The key vulnerability was described as an interaction between ERC2771 (gas-less transactions), and Multicall functionality. Looking back at the MoonCatRescue smart contracts to evaluate if this affects them, only one uses a Multicall-style functionality (MoonCatNameService), and none of them implement ERC2771, so this particular vulnerability doesn’t affect the MoonCatRescue ecosystem.
Note:
Most NFT collectors are used to seeing “ERC721” tossed around as a label, as that’s the key standard for defining a non-fungible token. But that is very different than “ERC2771” which is one of the standards in this security disclosure. ERC2771 has the same numbers in its ID, but is a completely different standard. So don’t read that name too fast and jump to the wrong conclusion!
Affect on Other Projects
The ERC2771 standard is a way for transactions to be posted on behalf of a user, but posted to the blockchain by someone else (sometimes called a “Relayer”). That has the practical upshot of the end user doesn’t need to pay for gas for the transaction (the Relayer does).
If you have in your personal portfolio any assets where the project advertises they support “gas-less transactions”, or the project pays for gas, it would be wise to follow-up with those projects to ask if they’re using ERC2771 as the way to accomplish that feature, and if they’re aware of this potential exploit.
Even if you’re not affected by this vulnerability, it’s good to stay connected to the Web3 community to hear about vulnerabilities like this as they’re disclosed, and learn at least enough about blockchain technologies, such that you can make a baseline assessment yourself if any of the projects you work with are susceptible to security vulnerabilities that get disclosed in the future. It’s great to have a strong community around us as we continue to explore these new tech horizons! Stay safe out there! 🚀
