Thirdweb Discloses Common Security Flaw in Smart Contracts

Thirdweb, a Web3 firm that develops smart contracts, has disclosed a security flaw that “may affect an assortment of smart contracts throughout the Web3 ecosystem.”

Thirdweb disclosed a vulnerability in a widely utilized open-source library on December 4, which had the potential to affect particular pre-built smart contracts, including some that it had developed.

Nonetheless, Thirdweb's investigations have determined that the smart contract vulnerability remains untouched, providing Web3 firms with a limited time to avert a potential intrusion.

Thirdweb stated, emphasizing the vulnerability's potential to cause catastrophic damage if not remedied immediately:

“The impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.”

The company proactively warned users who had deployed its contracts before November 22. These users were advised to “take mitigation steps” either independently or by utilizing a tool provided by the company.

IMPORTANT

On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.

This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…

— thirdweb (@thirdweb) December 5, 2023

Thirdweb also recommended that developers assist users in rescinding approvals on all impacted contracts through revoke.cash. “This will safeguard your users if you opt not to mitigate the contract,” DefiLlama developer “0xngmi” added in response to the request to revoke approvals.

btw this seems important, theyre asking to revoke all approvals to third web contracts (you might have interacted with them without knowing as theyre white-labelled, especially if you do stuff around nfts) https://t.co/T1YU9xnIRb

— 0xngmi is hiring (@0xngmi) December 5, 2023

Thirdweb has initiated communication with the maintainers of the open-source library that contains the critical flaw and with other teams that may be affected by the situation.

It also promised to implement a more stringent auditing procedure and increase funding for security measures and bug bounty payments by twofold, from $25,000 to $50,000. Additionally, the company provided a grant to address contract mitigations.

“We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness. We will be offering a retroactive gas grant to cover fees for contract mitigations.”

For security purposes, complete information regarding the vulnerability was withheld.

In August 2022, the company secured $24 million in Series A funding from Haun Ventures, Coinbase, Shopify, and Polygon.

Monthly usage of the Web3 company's multichain smart contract deployment tools for gaming, minting, marketplaces, and wallets is reportedly over 70,000 developers.