Blur NFT Marketplace Might Not Be As Safe As We Thought

a screenshot of the Blur NFT marketplace

Following a successful airdrop announcement, the now-reviewed Blur NFT marketplace smart contracts paint a shady picture. The Blur NFT contracts review, by Twitter user @0xQuit, is a follow-up to his previous thread on the Blur airdrop. So, what has the Blur contract review revealed? And what is suspicious about these Blur contracts?

a screenshot of the Blur NFT marketplace

What Do The Blur NFT Marketplace Contract Review Results Show?

On the original airdrop thread, @0xQuit mentioned a step-by-step process to collect the airdrop. One of these steps was to list an NFT. The Blur NFT marketplace required users to sign a (then) unverified contract. So, @0xQuit suggested users upload a low-tier, low-value NFT for this step. Upon further review, the Blur approval request was for contract 0x00000000000111AbE46ff893f3B2fdF1F759a8A8.

This contract strictly handles token transfers on the exchange. A similar code exists between other marketplaces like OpenSea and LooksRare. These contracts are, in essence, very similar “modular components with a very specialized purpose of transferring tokens.”

For example, on LooksRare, the code states that on approving the contract, only LooksRare can handle token transfers between the exchange/marketplace.  On OpenSea, a similar process takes place, but with the control given over to “conduit controllers” that add channels to allow movement/transfers of movement.

LooksRare Exchange Smart Contract Codes

LooksRare Exchange Smart Contract Codes. Line 27 blocks anything other than the marketplace address from transferring tokens. This address is set at Line 9.

To put it simply, the users would need a high degree of trust in OpenSea or LooksRare for them to approve contracts. However, on Blur, there are two key issues that @0xQuit points out. The first is that in their code, the same conduits only check if the caller is allowed to move tokens.

This means that the owner of the smart contract can still add other addresses to the mapping, and yank tokens. Blur as a new NFT marketplace has not yet earned that level of trust. Another issue pointed to the “exchange contract”, which is in itself transferrable. Meaning that users would never truly know what they are approving.

Potential Solutions

With these two issues in light, Blur marketplace owner @Pacman_Blur has assured users of safety. The contracts are multi-signature contracts, verified by @0xQuit as well. @0xQuit also pointed out a couple of solutions, the first being to finalize the BlurExchange contract so that it isn’t upgradeable. The other is renouncing the ownership of the ExecutionDelegate so that no new contracts are added or removed.

In response, @Pacman_Blur also tweeted that these concerns are similar to the contracts at OpenSea and X2Y2. Both these platforms could have anyone add extra callers to the contracts at any time. He also stated that the NFT marketplace has completed its security audits via dedbaub & code4rena. He also stated “I think your suggestions are reasonable and we will definitely consider finalizing the exchange contract in the future. With that said 100% security is never achievable. There are always threat vectors from hardware to digital to physical.”

Related posts