A time-boxed security audit of the Art Blocks protocol was conducted by @xenoliss, focusing on the security aspects of the smart contract implementations listed below [1]. The audit revealed two vulnerabilities related to the potential for malicious artist front-running in the token minting process when using non-mint-pass style ERC20 tokens. Only a malicious artist could take advantage of this, and there is no evidence of this happening as far as Art Blocks is aware.
The vulnerabilities require a privileged wallet (“artist”) to maliciously front-run a user who had previously approved an excess amount of a value-based ERC20 token (e.g. USDC) to be transferred by the ERC20 minter contract. Artists are privileged accounts within the Art Blocks ecosystem of contracts, and are generally disincentivized to act maliciously to preserve their reputation. Nevertheless, the audit finding gives an opportunity to add further security safeguards to previously deployed ERC20 minters.
There have been no reported damages or impacts to user funds due to the absence of price and currency guards in any existing minters, as far as Art Blocks is aware. If you discover any impact please contact us at security@artblocks.io.
The vulnerabilities were identified in the MinterSetPriceERC20V5 minter, which was under review. Additionally, the following minters were retroactively patched as they shared similar purchase logic:
- GenArt721Minter
- MinterSetPriceERC20V0
- MinterSetPriceERC20V1
- MinterSetPriceERC20V4
Following the audit, Art Blocks implemented a series of actions to address the identified issues:
- Adding Price and Currency Guards: The currency address and price were added as parameters in the purchase and purchaseTo functions of the MinterSetPriceERC20V5 minter. These parameters are now checked against the configured price and currency address on the project, with transactions reverting upon failure of these checks.
- Internal Investigation of ERC20 Minters: Art Blocks conducted an internal review of active use of all Art Blocks and Art Blocks Engine ERC20 minters, and determined that only mint-pass style tokens were being used, indicating that nothing was immediately vulnerable.
- Implementation in Active ERC20 Minters: Price and currency guards were also implemented in the following minters:
- GenArt721Minter
- MinterSetPriceERC20V0
- MinterSetPriceERC20V1
- MinterSetPriceERC20V4
- The following smart contracts within the Art Blocks Contracts repository were in the scope of the review:
packages/contracts/contracts/libs/v0.8.x/ABHelpers.solpackages/contracts/contracts/libs/v0.8.x/AuthLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/GenericMinterEventsLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/MaxInvocationsLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/MerkleLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/SetPriceLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/SplitFundsLib.solpackages/contracts/contracts/libs/v0.8.x/minter-libs/TokenHolderLib.solpackages/contracts/contracts/minter-suite/MinterFilter/MinterSetPriceERC20V5.solpackages/contracts/contracts/minter-suite/MinterFilter/MinterSetPriceHolderV5.solpackages/contracts/contracts/minter-suite/MinterFilter/MinterSetPriceMerkleV5.sol