{"id":80635,"date":"2023-06-22T18:03:00","date_gmt":"2023-06-22T15:03:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=80635"},"modified":"2025-09-11T18:08:30","modified_gmt":"2025-09-11T15:08:30","slug":"nft-platform-foundation-fixes-self-destruct-risk-that-could-wipe-out-all-nfts-issued-on-the-platform","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/nft-platform-foundation-fixes-self-destruct-risk-that-could-wipe-out-all-nfts-issued-on-the-platform\/","title":{"rendered":"NFT platform Foundation fixes self-destruct risk that could wipe out all NFTs issued on the platform"},"content":{"rendered":"<p>Foundation fixed a vulnerability that could have been used to wipe out all NFTs issued on the platform.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">This has been fixed for contracts deployed before 3\/6.<\/p>\n<p>Contracts deployed after 3\/6 were already safe \u2014 the owner of the implementation contract was set to 0, and the contract could not have been self destructed.<\/p>\n<p>\u2014 Elpizo Choi (@elpizoch) <a href=\"https:\/\/twitter.com\/elpizoch\/status\/1671694431865675776?ref_src=twsrc%5Etfw\">June 22, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u00abWe fixed this for contracts deployed before 3\/6. Contracts deployed after 3\/6 were already safe \u2014 the owner of the implementation contract was set to 0. It cannot be destroyed\u00bb,<\/em> \u2014 said Elpizo Choi, co-founder and CTO of Foundation on Twitter.<\/p>\n<\/blockquote>\n<p>On June 21, the vulnerability was flagged by the DeFi Llama co-founder under the handle 0xngmi.<\/p>\n<p>He disclosed the information six months after talks with the company about the issue.<\/p>\n<p>According to <a href=\"https:\/\/www.theblock.co\/post\/235953\/foundation-claims-to-fix-self-destruct-feature-that-could-have-wiped-out-its-nfts\"> The Block<\/a>, the researcher alerted the team to the vulnerability in December 2022. In June Foundation offered 0xngmi to undergo <span data-descr=\"Know Your Customer\" class=\"old_tooltip\">KYC<\/span> to participate in the bounty program. But there was no progress after that.<\/p>\n<p>0xngmi proposed a solution to fix the problem.<\/p>\n<p>All NFT collections on Foundation are created using a single deployment contract and rely on a forwarding proxy\u2014a constructive gimmick designed to reduce fees.<\/p>\n<p><a href=\"https:\/\/etherscan.io\/address\/0x67Df244584b67E8C51B10aD610aAfFa9a402FdB6\">Contract<\/a> contained a &#8216;self-destruct&#8217; function. It posed a serious threat to all collections issued on the platform.<\/p>\n<p>Originally, the function was intended to allow creators to burn their own collections if needed. At the same time, there was a risk for any NFT created using Foundation.<\/p>\n<p>At the time of disclosure, the contract was protected by a &#8216;<a href=\"https:\/\/u1f987.com\/en\/news\/what-is-a-multisignature-what-is-a-ring-signature\">multisig<\/a>-wallet with two of six signatures&#8217;. According to 0xngmi, the account safeguarding the contract with the developers could be updated and handed over to control using two signatures from Foundation team members or anyone with access to it.<\/p>\n<p>The problem was that if a hacker gained control of these two keys, they could hold all the tokens for ransom or destroy them entirely.<\/p>\n<p>0xngmi<a href=\"https:\/\/github.com\/0xngmi\/foundation-exploit\"> explained<\/a> that the developers modelled an attack and confirmed that the owner could lock all NFTs.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u00abAll holders of Foundation-issued tokens assume their assets are immutable on the blockchain and cannot be manipulated. In the best case only metadata is at risk. In reality all NFTs are just two transactions away from destruction\u00bb<\/em> \u2014 warned the DeFi Llama co-founder.<\/p>\n<\/blockquote>\n<p>As a reminder, the smart-contract security auditor CertiK <a href=\"https:\/\/u1f987.com\/en\/news\/sui-pays-certik-500000-bounty-for-vulnerability-discovery\">received a reward<\/a> of $500,000 for discovering a critical vulnerability in the blockchain <a href=\"https:\/\/u1f987.com\/en\/news\/sui-an-ambitious-blockchain-and-cryptocurrency-from-meta-alumni\">Sui<\/a>.<\/p>\n<p>Earlier, BlockSec<a href=\"https:\/\/u1f987.com\/en\/news\/blocksec-thwarted-attack-on-paraspace-nft-project\">identified<\/a> a bug in the lending NFT protocol ParaSpace. The bug threatened the loss of 2,900 ETH and an unspecified number of BAYC tokens.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Foundation fixed a vulnerability that could have wiped out all NFTs issued on the platform.<\/p>\n","protected":false},"author":1,"featured_media":80636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1111,1213],"class_list":["post-80635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-cybersecurity","tag-nft"],"aioseo_notices":[],"amp_enabled":true,"views":"13","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/80635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=80635"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/80635\/revisions"}],"predecessor-version":[{"id":80637,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/80635\/revisions\/80637"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/80636"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=80635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=80635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=80635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}