While the recently found smart contract vulnerability has shaken the DeFi ecosystem, OpenZeppelin has found the root of the threat.
The vulnerability was reported by ThirdWeb on December 5, which said that it is in a commonly used open-source library. While doing further investigation into the matter, OpenZeppelin found that the vulnerability had occurred due to the problematic integration of ERC-2771 and Multicall standards.
“We are publicly disclosing a critical vulnerability arising from a problematic integration of the standard ERC-2771 and self delegatecall with user input data, including but not limited to multicall,” said the OpenZeppelin team. “This issue poses a significant risk of address spoofing attacks for projects combining these patterns.”
OpenZeppelin has also given a brief review of the vulnerability in a blogpost and described the scope of potential attacks. The smart-contract development firm has helped several pools mitigate attacks while also noting some ongoing attacks that are exploiting the vulnerability.
As the pre-built smart-contracts including ERC-721, DropERC20, AirdropERC20, and all variants of ERC-1155, have been affected by this vulnerability, OpenZeppelin has released a new update of its contracts library as a solution.
“While the integration between these patterns remains problematic without the proper measures, the updates made to the OpenZeppelin Contracts library allow its integration in a safe and backwards compatible way,” said the firm.