BlurExchange: dangerously upgradeable proxy contract

SNEAK PEEK

  • Twitter account 0xQuit tweets Blur contract review.
  • Blur, OpenSea, and LooksRare follow similar modular components for contracts.
  • NFT marketplace Blur went live on October 20, 2022.

oSnipe Founder 0xQuit followed up on an earlier Blur Twitter thread with another contract review but the Twitter account was disappointed with what they found.

In the prior Twitter post, 0xQuit shared that NFT marketplace Blur which launched on October 20 after raising $14 million from @paradigm, @CozomoMedici and @punk6529, announced care packages for those to will “stick around for the bear.”

In that thread, 0xQuit promised to post a contract review of the marketplace after verification. However, the Twitter account expressed, they “didn’t like what I found.” Further sharing a valuable assets breakdown in the thread, they clarified that they still admire Blur’s interface and tooling. They also highlighted that it is up to the users to enforce good practices by voting with their wallets. 

They added that the Blur approval request for 0x00000000000111AbE46ff893f3B2fdF1F759a8A8 is an ExecutionDelegate, a contract strictly handling token transfers for the Blur exchange. 0xQuit stated that this is not unusual while sharing examples including OpenSea having a Conduit contract and LooksRare with a TransferManager. 

The Twitter account clarified that these are similar constructs with a modular component with the specialized intent of transferring tokens, as the common denominator. 

Attaching a screenshot of what LookRare’s contract looks like when users approve something, they highlighted a line in the code that “blocks anything other than the exchange address from transferring tokens, and that address is set at deployment (line 9) and is set to be immutable (line 2). This is about what I would expect.”

Simultaneously, they posted a screenshot of OpenSea’s conduit that follows a similar structure with a more complex arrangement, stating that the conduits are deployed by controllers that can add channels allowing token movements.

In conclusion, the controllers have the power to obey the rules laid out by Seaport or “yank” users’ approved tokens.

Switching to Blur, 0xQuit notes the `approvedContract` modifier, that’s what prevents just anybody from transferring your tokens by simply checking a mapping to see whether or not the caller is allowed to move tokens.

While the owner settles who can call `approvedContract` to add an address to that mapping, it can also be called again “any address that’s added to that mapping can yank all of the tokens you’ve approved to Blur.”

While, this is the same as OpenSea, according to the Twitter account, Blur is yet to earn that level of trust.