Blur NFT Marketplace Might Not Be As Safe As We Thought

Blur NFT Marketplace Might Not Be As Safe As We Thought

Following a successful airdrop announcement, the now reviewed Blur NFT marketplace smart contracts paint a shady picture. The Blur NFT contracts, reviewed by Twitter user @0xQuit is a follow-up to his previous thread on the Blur airdrop. Read on to learn more about what the contract review has revealed.

What Do The Contract Review Results Show?
On the original airdrop thread, @0xQuit mentioned a step-by-step process to collect the airdrop. One of these steps was to list an NFT. The Blur NFT marketplace required users to sign a (then) unverified contract. @0xQuit suggested users to upload a low-tier, low-value NFT for this step. Upon further review, the the Blur approval request was for contract 0x00000000000111AbE46ff893f3B2fdF1F759a8A8. This contract strictly handles token transfers on the exchange. A similar code exists between other marketplaces like OpenSea and LooksRare. These contracts are, in essence, very similar “modular components with a very specialized purpose of transferring tokens.”

For example, on LooksRare, the code states that on approving the contract, only LooksRare would be allowed to transfer different tokens between the exchange/marketplace.  On OpenSea, a similar process takes place, but with the control given over to “conduit controllers” that add channels to allow movement/transfers of movement.

LooksRare Exchange Smart Contract Codes. Line 27 blocks anything other than the marketplace address from transferring tokens. This address is set at Line 9.
What this basically means is that, the users would need a high degree of trust in OpenSea or LooksRare for them to approve contracts. On Blur, there are two key issues that @0xQuit points out. The first being that on their code, the same conduits only check if the caller is allowed to move tokens.

This means that the owner of the smart contract can still add other addresses to the mapping, and yank tokens. Blur as a new marketplace has not yet earnt that level of trust. Another issue pointed to the “exchange contract”, which is in itself transferrable. Meaning that users would never truly know what they are approving.

Potential Solutions
With these two issues in light, marketplace owner @Pacman_Blur has assured users of safety. The contracts are multi-signature contracts, verified by @0xQuit as well. @0xQuit also pointed out a couple of solutions, the first being to finalize the BlurExchange contract so that it isn’t upgradeable. The other is renouncing the ownership of the ExecutionDelegate so that no new contracts are added or removed.

In response, @Pacman_Blur also tweeted out that these concerns are similar to the contracts at OpenSea and X2Y2. Both these platforms could have anyone add extra callers to the contracts at any time. He also stated that the marketplace has completed its security audits via dedbaub & code4rena. He also stated “I think your suggestions are reasonable and we will definitely consider finalizing the exchange contract in the future. With that said 100% security is never achievable. There are always threat vectors from hardware to digital to physical.”

All investment/financial opinions expressed by are not recommendations.

This article is educational material.

As always, make your own research prior to making any kind of investment.


Vineet is a storyteller based in Mumbai. Having previously worked for various web2 organizations as a journalist, instructional designer, and event manager, he got into blockchain in early 2021. As a musician by passion, he fell in love with the digital megastructures building the future of art and creativity. He believes that web3 unlocks creativity at a higher level, and works towards onboarding music projects to the space.

Leave a Reply

Your email address will not be published. Required fields are marked *