- Cygaar reports yet another white-hat takeover of an NFT project with improperly written proxy contracts.
- The implementation contract for Kubz was taken over by Cygaar.
- DisableInitializers can prevent something like this from happening in the future.
In a recent tweet shared by Cygaar, a popular software engineer reported another white-hat takeover of an NFT project that was not writing their proxy contracts correctly. He revealed that he has taken over the implementation contract for Kubz.
Another day, another white-hat takeover of an NFT project that isn't writing their proxy contracts correctly.— cygaar (@0xCygaar) February 3, 2023
This time, I have taken over the implementation contract for Kubz 🤓. When will contract developers learn to write proxies properly? pic.twitter.com/qSBNzNimm4
In addition to this, it was revealed that he is now the owner of this particular contract and possesses the ability to call any owner-only functions on the implementation contract. Laying an emphasis on the topic that can allow the prevention of something like this from happening in the future, Cygaar stated that there is something called “disableinitializers”’ that can be added to the constructor of the implementation.
As for the DisableInitializers function, it will facilitate the locking of the implementation and the prevention of any function altered with the initializer from being called.
Even though taking over a transparent proxy might not do anything, airdropping replica NFTs from this address and fooling users into thinking that it is legit can be started. Thus, if Cygaar is not necessarily able to break the real contract, he has the potential to scam users into purchasing/trading a fake collection, which is not considered an ideal outcome.
He affirmed that he is not going to do that and will be transferring the ownership over to Keung once he is able to realize the loophole he has left open.