Foundation claims to fix 'self-destruct' feature that could have wiped out its NFTs

NFT platform Foundation claims to have fixed issues concerning a self-destruct function that theoretically could have been used to wipe out all NFTs minted through its platform.

The issue was first highlighted publicly on June 21 by 0xngmi, co-founder of crypto analytics provider DeFiLlama, after a six-month period of negotiations with the company to disclose and fix the issue.

"This has been fixed for contracts deployed before 3/6," said Foundation co-founder and CTO Elpizo Choi on Twitter. "Contracts deployed after 3/6 were already safe - the owner of the implementation contract was set to 0, and the contract could not have been self destructed."

What was the issue?

All NFT collections on Foundation are minted using a single deployer contract and employ a "forwarder proxy," a design feature intended to reduce transaction fees during contract deployments.

This itself isn’t concerning — it’s the fact the contract contained a “self-destruct” function that posed a severe threat to all collections minted on the platform. This feature was originally meant to allow creators to destroy (or burn) their own collections if needed but it posed a risk to any NFT created with it.

At the time of the disclosures, the contract was secured by “2-out-of-6 multi-signature wallet,” meaning the account securing the deployer contract could be upgraded and taken over with two signatures from the Foundation’s team members or whoever has access to it, per 0xngmi.

The concern was that, should a hacker gain control of these two keys, they could hold all the NFTs for ransom or destroy them entirely. 0xngmi explained in a GitHub post they simulated the attack and verified that the owner of the contract could brick all NFTs.

“All collectors that own Foundation pieces assume that their NFTs are immutable in the blockchain and can’t be manipulated. At most only metadata is at risk,” 0xngmi wrote on Twitter. “However reality is very far from that, all NFTs are just two transactions away from being destroyed.”

Disclosing the problem

0xngmi stated that he first notified Foundation of the vulnerability in December 2022. He added that on June 19, the platform responded, instructing 0xngmi to submit the concern to its bounty program and to complete a KYC process. Since then, he said there had been no progress, and 0xngmi had not received any further communication from Foundation, they told The Block.

0xngmi has suggested his own solution to the issue. Mint an NFT from the implementation address and then send it to a burner address, effectively eliminating the bug, he said.

Foundation makes up a small share of the NFT marketplace industry. In May of 2023, the firm brought in $1.42 million, or 0.2%, of the $673.6 million total volume, according to The Block’s Data Dashboard. The platform Blur brought in most of May’s monthly volume at $377.2 million, or 56%.

Foundation did not respond to The Block’s request for comment regarding the NFT vulnerability.