0xngmi, the founder of the blockchain data platform DefiLlama, tweeted today (21st) that there is a vulnerability in the NFT contract of the NFT platform Foundation that allows the Foundation team to destroy almost all NFTs minted on its platform.
.@foundation's NFT contracts have an exploit that allows foundation's team to destroy almost all NFTs minted on their platform.Here's a thread explaining the exploit
— 0xngmi (@0xngmi) June 21, 2023
Foundation's NFT Collection contracts utilize the forward proxy pattern to save deployment gas costs, meaning that all collections call a single contract to use its code. 0xngmi noted that normally this shouldn't be an issue, however in Foundation's case, the contract can be self-destructed.
0xngmi says this is because Foundation’s collections have a feature that allows creators to destroy NFTs if the collection has no more. This feature was originally designed for NFT collections, but also applies to logical contracts, that is, if there is no NFT in the contract, its creator can destroy it. This situation makes it possible for the Foundation team (the owners of the contract) to destroy the contract.
If the Foundation team did this, all collection contracts would start to fail because collections would call this contract for code that doesn't exist. Therefore, the combination of these two features allows the Foundation team to effectively delete all NFT collections minted on its platform.
0xngmi said it disclosed the issue and fix to Foundation six months ago, but the vulnerability has not yet been patched. 0xngmi also mentioned two risks. If the Foundation key is leaked, attackers can hold all NFTs for ransom or destroy them directly. Another point is that if legal or regulatory issues arise with the NFT, Foundation may destroy it.
This article DefiLlama founder reveals a vulnerability in NFT platform Foundation that allows the team to destroy all NFTs minted on the platform first appeared on Zombit.
