NFT platform Foundation fixes self-destruct risk that could wipe out all NFTs issued on the platform

Foundation fixed a vulnerability that could have been used to wipe out all NFTs issued on the platform.

This has been fixed for contracts deployed before 3/6.

Contracts deployed after 3/6 were already safe — the owner of the implementation contract was set to 0, and the contract could not have been self destructed.

— Elpizo Choi (@elpizoch) June 22, 2023

«We fixed this for contracts deployed before 3/6. Contracts deployed after 3/6 were already safe — the owner of the implementation contract was set to 0. It cannot be destroyed», — said Elpizo Choi, co-founder and CTO of Foundation on Twitter.

On June 21, the vulnerability was flagged by the DeFi Llama co-founder under the handle 0xngmi.

He disclosed the information six months after talks with the company about the issue.

According to The Block, the researcher alerted the team to the vulnerability in December 2022. In June Foundation offered 0xngmi to undergo KYC to participate in the bounty program. But there was no progress after that.

0xngmi proposed a solution to fix the problem.

All NFT collections on Foundation are created using a single deployment contract and rely on a forwarding proxy—a constructive gimmick designed to reduce fees.

Contract contained a ‘self-destruct’ function. It posed a serious threat to all collections issued on the platform.

Originally, the function was intended to allow creators to burn their own collections if needed. At the same time, there was a risk for any NFT created using Foundation.

At the time of disclosure, the contract was protected by a ‘multisig-wallet with two of six signatures’. According to 0xngmi, the account safeguarding the contract with the developers could be updated and handed over to control using two signatures from Foundation team members or anyone with access to it.

The problem was that if a hacker gained control of these two keys, they could hold all the tokens for ransom or destroy them entirely.

0xngmi explained that the developers modelled an attack and confirmed that the owner could lock all NFTs.

«All holders of Foundation-issued tokens assume their assets are immutable on the blockchain and cannot be manipulated. In the best case only metadata is at risk. In reality all NFTs are just two transactions away from destruction» — warned the DeFi Llama co-founder.

As a reminder, the smart-contract security auditor CertiK received a reward of $500,000 for discovering a critical vulnerability in the blockchain Sui.

Earlier, BlockSecidentified a bug in the lending NFT protocol ParaSpace. The bug threatened the loss of 2,900 ETH and an unspecified number of BAYC tokens.