Blur NFT Marketplace May Not Be So Safe

Following the claim of a successful airdrop, the now-reviewed smart contracts for the Blur NFT marketplace offer a questionable picture. The assessment of the Blur NFT contracts that was done by the user @0xQuit on Twitter is a follow-up to the thread that he had previously started on the Blur airdrop. Continue reading to find out more about the findings of the evaluation of the contract.

What Can We Learn From the Results of the Contract Review?

In the first thread about the airdrop, @0xQuit discussed the procedure that must be followed in order to receive the airdrop. Listing an NFT was one of these actions that needed to be taken. Users of the Blur NFT marketplace were required to sign a contract that was not verified at the time. @0xQuit recommended to users that they complete this stage by submitting a low-tier, low-value NFT. After conducting additional research, it was determined that the clearance request sent by Blur was for contract number 0x00000000000111AbE46ff893f3B2fdF1F759a8A8. On the exchange, this contract is solely responsible for handling token transfers. Other online markets, such as OpenSea and LooksRare, use a code that is virtually identical. In their most fundamental form, these contracts are extremely analogous to “modular components with the highly specialized aim of transferring tokens.”

For instance, the code for LooksRare stipulates that if the contract is approved, only LooksRare will be authorized to move different tokens between the exchange and the marketplace. On OpenSea, a process quite similar to this one is carried out, but the control is delegated to “conduit controllers,” who are responsible for adding channels that enable movement and movement transfers.

In order for the users of OpenSea or LooksRare to give their approval to contracts, it is necessary for such users to have a high level of trust in the respective services. Regarding Blur, there are two primary concerns that are brought up by @0xQuit. The first issue is that identical conduits simply check the calling thread to see if it has permission to shift tokens when using their code.

This indicates that the owner of the smart contract retains the ability to add new addresses to the mapping and withdraw tokens at their discretion. Blur is still quite new and has not yet established itself as a trustworthy marketplace. Another source of contention centered on the so-called “exchange contract,” which is transferable on its own. That is to say, people would never really know what they are giving their consent to.

Potential Solutions

In light of these two vulnerabilities, marketplace owner @Pacman Blur has provided consumers with an assurance that they are safe. The contracts are multi-signature contracts, and @0xQuit is also responsible for verifying them. Additionally, @0xQuit brought up a couple of potential solutions, the first of which is to finish the BlurExchange contract in such a way that it cannot be upgraded. The opposite party is relinquishing possession of the ExecutionDelegate in order to ensure that no other contracts will be terminated or added.

As a response to this, @Pacman Blur tweeted that these issues are comparable to the contracts that are in place at OpenSea and X2Y2. On either of these platforms, anyone might at any time add other callers to the contracts. In addition to that, he mentioned that the market had finished the security audits that were conducted by dedbaub and code4rena. In addition to this, he remarked, “I think your proposals are sensible, and we will surely consider finishing the exchange contract at some point in the future.” Having stated that, achieving a level of security of 100 percent is impossible. There are always a variety of danger vectors, ranging from physical to digital to hardware.

Advertisement

For More NFT News, Click Here.