Some makers of Ethereum NFT projects scramble to secure their collections after Thirdweb, a leading crypto development platform, revealed issues with them smart contracts late Monday.
Thirdweb wrote that a security vulnerability is caused in a “commonly used open source library Web3 smart contracts” was discovered, and that this affects pre-built contracts offered by Thirdweb, among others. Smart contracts contain the code that powers autonomous decentralized apps (dapps) And NFT collections.
Due to the apparent severity of the vulnerability, Thirdweb is not disclosing which open source library caused the exploit or details about what the exploit entails. OpenZeppelin, a widely used open source library for smart contracts, has since revealed that the issue is not tied to the repository.
“Based on our research, the issue is inherent to problematic integration of specific patterns, and not specific to the implementations in the OpenZeppelin Contracts library,” it tweeted– but added that it would still “lead efforts to assess who in the community has been affected and provide them with mitigation strategies.”
IMPORTANT
On November 20, 2023 at 6:00 PM PST, we became aware of a security vulnerability in a widely used open source library in the web3 industry.
This affects a variety of smart contracts in the web3 ecosystem, including some pre-built smart contracts from thirdweb.…
— thirdweb (@thirdweb) December 5, 2023
Thirdweb said it does not believe any smart contracts have been exploited yet, but recommends that projects undertake a mitigation process that includes locking down their current smart contract and then migrating to a new contract. airdrop tokens to current holders. The company said it would help cover network costs associated with migrating holders of an affected smart contract.
According to Thirdweb, it became aware of the contract vulnerability on November 20 and rolled out a fix for the pre-built smart contract templates on November 22. As a result, all Thirdweb smart contracts deployed after 10:00 PM ET on November 22 are believed to be secure, but those deployed before then may be affected.
Is the NFT winter over? Prices rise as Bitcoin and Ethereum rise
The exploit is linked to NFT smart contracts using the Ethereum ERC-721 and ERC-1155 standards, as well as fungible tokens minted via the ERC-20 standard. A full list of affected contract types is available via Thirdweb’s blog post, along with a mitigation tool which can identify any affected contracts.
Many major industry players have weighed in on the potential impact of this issue on their users, NFT holders, and NFT project creators.
We’re in touch with @thirdweb about the security issue affecting some NFT collections. Stay tuned for more information on how we can help affected collection owners with any changes to OpenSea related to contract migration. Read @thirdweb’s post below for more information. https://t.co/HU6bmXWU7U
— OpenSea (@opensea) December 5, 2023
Large NFT marketplace OpenSea tweeted that users should “stay tuned for more information on how we can assist affected collection owners with any changes to OpenSea related to contract migration.” Rarible, another NFT marketplace, said so some NFT drops on its platform are also affected in the Ethereum and sidechain scaling network Polygon.
Coinbase said some collections were created on its NFT platform being influencedwhile smart contracts are being started Many times said that his own contracts remain unaffected. Basethe Ethereum Layer-2 scaling network that Coinbase incubated said as much some project contracts used on Base are affected, but the network itself is safe.
Moca Transparency Tuesday – TL;DR: Mocas are SAFU, funds are SAFU, wallets are SAFU
On December 2 at 11:17 AM HKT, we were notified by @thirdweb, our smart contract development partner for the Mocaverse collections, that a security update was needed for the smart contracts…
— Mocaverse💼🪐 (@MocaverseNFT) December 5, 2023
Ethereum profile photo (PFP) project Cool Cats said that while the main NFTs are safe, it will migrate its Avatar System packages to a new contract. Meanwhile, Animoca Brands Mocavers gaming platform said yes has migrated its various NFT collections to new contracts, and let holders claim the new versions.
In addition to covering fees for migrated projects, Thirdweb wrote that it has doubled its bug bounty payments from $25,000 to $50,000, and will use “a more rigorous audit process” in the future.
