Thirdweb, a provider of Web3 software development kits (SDK), confirmed the presence of a security vulnerability in a widely used open source library, impacting numerous Web3 smart contracts, according to a December 4 report. rack on social media platform X (formerly Twitter).
The company stated that the vulnerability was first identified on November 20 and affected a variety of smart contracts in the Web3 ecosystem, including some of the pre-built smart contracts.
However, it clarified that the vulnerability has yet to be exploited and refrained from making the open source library public to prevent possible exploitation. The company wrote:
“Based on our research to date, this vulnerability has not been exploited in any third-party web smart contracts. However, smart contract owners must take mitigation measures for certain pre-built smart contracts created on thirdweb before November 22, 2023 at 7:00 PM PT.
Affected smart contracts
Thirdweb identified 13 affected smart contracts, including AirdropERC20, ERC721, ERC1155 and others, affected by the vulnerability.
Smart contract owners are advised to take proactive mitigation measures to prevent exploitation. Additionally, Thirdweb ensured ongoing efforts with security partners to develop tools for easy identification and implementation of necessary mitigation measures.
Depending on the nature of the contract, these steps may include contract locking, snapshot creation, and migration to a new contract. In addition, users of these contracts are encouraged to revoke approvals for all Thirdweb contracts.
Thirdweb is also increasing rewards for its platform to $50,000 and implementing a stricter audit process.
In the meantime, 0xngmi, tthe pseudonymous developer of DeFillama, insisted the community to withdraw their approvals for thirdweb contracts as people may have interacted with them without knowing it as they are white labeled.
NFT projects respond
Several NFT projects, including OpenSea, have responded to the concerns raised by the vulnerability.
OpenSea confirmed discussions with Thirdweb about security issues in specific NFT collections. The NFT platform hinted at upcoming support for affected collection owners and expected changes regarding contract migration on their platform.
Some NFT collections like CoolCats and ApesRare have reassured their holders are not affected by these vulnerabilities.
However, Thirdweb’s disclosure approach has received criticism within the community.
