Following a successful airdrop announcement, the now reviewed Blur NFT marketplace smart contracts paint a shady picture. The Blur NFT contracts, reviewed by Twitter user @0xQuit is a follow-up to his previous thread on the Blur airdrop. Read on to learn more about what the contract review has revealed.
What Do The Contract Review Results Show?
On the original airdrop thread, @0xQuit mentioned a step-by-step process to collect the airdrop. One of these steps was to list an NFT. The Blur NFT marketplace required users to sign a (then) unverified contract. @0xQuit suggested users to upload a low-tier, low-value NFT for this step. Upon further review, the the Blur approval request was for contract 0x00000000000111AbE46ff893f3B2fdF1F759a8A8. This contract strictly handles token transfers on the exchange. A similar code exists between other marketplaces like OpenSea and LooksRare. These contracts are, in essence, very similar “modular components with a very specialized purpose of transferring tokens.”
For example, on LooksRare, the code states that on approving the contract, only LooksRare would be allowed to transfer different tokens between the exchange/marketplace. On OpenSea, a similar process takes place, but with the control given over to “conduit controllers” that add channels to allow movement/transfers of movement.
What this basically means is that, the users would need a high degree of trust in OpenSea or LooksRare for them to approve contracts. On Blur, there are two key issues that @0xQuit points out. The first being that on their code, the same conduits only check if the caller is allowed to move tokens.
This means that the owner of the smart contract can still add other addresses to the mapping, and yank tokens. Blur as a new marketplace has not yet earnt that level of trust. Another issue pointed to the “exchange contract”, which is in itself transferrable. Meaning that users would never truly know what they are approving.
Potential Solutions
With these two issues in light, marketplace owner @Pacman_Blur has assured users of safety. The contracts are multi-signature contracts, verified by @0xQuit as well. @0xQuit also pointed out a couple of solutions, the first being to finalize the BlurExchange contract so that it isn’t upgradeable. The other is renouncing the ownership of the ExecutionDelegate so that no new contracts are added or removed.
In response, @Pacman_Blur also tweeted out that these concerns are similar to the contracts at OpenSea and X2Y2. Both these platforms could have anyone add extra callers to the contracts at any time. He also stated that the marketplace has completed its security audits via dedbaub & code4rena. He also stated “I think your suggestions are reasonable and we will definitely consider finalizing the exchange contract in the future. With that said 100% security is never achievable. There are always threat vectors from hardware to digital to physical.”