Thirdweb, a prominent player in developing smart contracts for the Web3 ecosystem, recently identified a significant security vulnerability. This discovery has raised concerns across the Web3 industry, as it potentially impacts a broad array of smart contracts utilized in various applications.
The affected contracts span diverse domains, including gaming, minting, marketplaces, and wallets. Notably, according to a blog post, this vulnerability was found in a widely used open-source library, crucial to the operation of these smart contracts.
Thirdweb has decided not to reveal the name of the open-source library that was the source of the vulnerability or provide any information about the nature of the issue due to its apparent severity. OpenZeppelin, a popular open-source library for smart contracts, has stated that the problem is unrelated to its repository.
Despite the severity of the vulnerability, Thirdweb’s thorough investigation revealed that, fortunately, there have been no instances of exploitation to date. This finding provides a crucial window for Web3 firms to implement preventive measures and secure their systems against potential breaches. The vulnerability affects several pre-built contracts, notably DropERC20, ERC721, and ERC1155 standards, among others. Immediate action is necessary to mitigate risks associated with these contracts.
Thirdweb’s proactive measures and community guidance
In response to the vulnerability, Thirdweb has issued an urgent advisory to its user base, especially those who deployed contracts before November 22. The firm is guiding developers and users to take independent mitigation steps. This includes using tools provided by Thirdweb or employing solutions like revoke.cash, as recommended by DefiLlama developer “0xngmi”. These steps are essential for users who may opt not to update their contracts immediately.
Moreover, Thirdweb has contacted the maintainers of the affected open-source library and other teams that the issue might impact. To bolster its security protocols, Thirdweb has doubled its bug bounty payouts, increasing them from $25,000 to $50,000. This significant increase underscores the firm’s commitment to fortifying its security measures and ensuring the safety of its smart contract deployment tools. Additionally, a more rigorous auditing process is being implemented to enhance overall security.
Responsive actions to safeguard the Web3 ecosystem
The disclosure of this vulnerability has prompted a wave of responses from various industry players. Notable NFT marketplaces like OpenSea and Rarible, as well as Ethereum layer-2 scaling network Base, have acknowledged the potential impact on their platforms and are working to assist affected collection owners.
Coinbase, another major entity in the space, revealed that some collections on its NFT platform are impacted. In contrast, smart contract startup Manifold confirmed its contracts are unaffected.
Prominent projects such as Cool Cats and Animoca Brands’ Mocaverse have taken steps to migrate their NFT collections to new contracts, ensuring the security of their assets.
