The blockchain ecosystem, constantly evolving and advancing, has recently encountered a significant security hurdle – the ERC-2771 Delegatecall Vulnerability. This issue, discovered within the integration of ERC-2771 and Multicall standards, poses a substantial risk to contracts that implement these standards concurrently. This article delves into the technicalities of this vulnerability, exploring its mechanics, risks, and mitigation strategies.
ERC-2771 is a protocol designed for authenticating users in transactions relayed through a third party. It plays a pivotal role in reducing transaction costs and streamlining operations on the blockchain. However, this convenience comes with a hidden risk.
The standard operates through a sequence of steps:
User Request Signing: Users sign their transaction requests, embedding a signature within the transaction payload.
Relay Contract Verification: A relay contract, known as the Trusted Forwarder, authenticates the signature and appends the user’s address to the transaction data (calldata).
Target Contract Decoding: The final recipient contract decodes the user’s address from this data. A typical decoding process in ERC-2771 look like this:
A typical implementation of a multicall function further exposes the system to this vulnerability. In such implementations, delegateCall() is executed within a loop, targeting the contract itself. However, this leads to _msgSender() yielding the last 20 bytes of data[i], which could be manipulated by an attacker to spoof the identity of the original transaction signer A typical Multicall function vulnerable to this exploit would look as follows:
In response to this discovery, teams like OpenZeppelin have spearheaded efforts to identify and mitigate these risks. OpenZeppelin, for instance, released an update in its Contracts library to safely integrate Multicall with ERC2771Context. This update introduces a context suffix length for ERC2771Context data, ensuring proper identification and adaptation of calls from a trusted forwarder.
The discovery of the ERC-2771 and Multicall vulnerability underscores the ever-present need for vigilance and continuous improvement in blockchain security. As the technology evolves, so do the challenges and complexities associated with maintaining a secure and trustworthy environment. Through collective effort and shared knowledge, the blockchain community continues to strengthen its defenses against such vulnerabilities, paving the way for a more secure and efficient future in decentralized technology.
To mitigate the risks and vulnerabilities in smart contracts and ensure the integrity of your…
Lately, there's been a lot of talk about Web3 spaces, and one of the terms…
Tldr: EigenLayer is a generalized middleware protocol built on top of ethereum that introduces a…
The Dencun upgrade, a hard fork in Ethereum Blockchain implemented on March 13, 2024, is…
The Real Web 3.0! The Dark Forest of blockchains & DeFi, the forest's heart is…
EIP-6963 is going to be a game changer in the user’s experience of interacting with…
This website uses cookies.