Thirdweb, a smart contract development firm within the Web3 ecosystem, has discovered a security vulnerability that potentially affects a range of smart contracts across the Web3 landscape.
The company offers multichain smart contract deployment tools for various applications such as gaming, minting, marketplaces, and wallets, with a user base of over 70,000 developers.
Thirdweb Discloses Security Vulnerability
On December 4, Thirdweb disclosed a vulnerability on X in a widely used open-source library that could impact specific pre-built smart contracts, including some developed by the firm itself.
IMPORTANT
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
— thirdweb (@thirdweb) December 5, 2023
Despite identifying this vulnerability, Thirdweb’s investigations determined that no one has exploited the smart contract flaw. That offers a limited window of opportunity for Web3 firms to take preventive measures and avert a potential security breach.
Thirdweb emphasized that failing to address the vulnerability promptly could lead to severe consequences. The affected pre-built contracts, including but not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20, pose a risk if not rectified.
In response to this discovery, Thirdweb issued a proactive warning to the Web3 ecosystem, urging users who deployed its contracts before November 22 to take independent mitigation steps or use a tool provided by the company.
Additionally, Thirdweb advised developers to assist users in revoking approvals on all affected contracts using revoke.cash, as suggested by DefiLlama developer “0xngmi” in response to the request for approval revocation. The measure looked to provide additional protection for users who may decide not to implement contract mitigation steps.
Thirdweb Enhances Security Measures
In response to the identified vulnerability in a commonly used open-source library, Thirdweb has taken several proactive steps. The company has reached out to the maintainers of the open-source library responsible for the vulnerability and has also contacted other teams that may be affected by the issue.
Thirdweb has committed to increasing its investment in security and has decided to double bug bounty payouts from $25,000 to $50,000 to fortify its security measures. Additionally, the company is implementing a more rigorous auditing process to enhance the overall security of its smart contract deployment tools.
Thirdweb has further offered a grant to cover contract mitigations for affected users. However, for security reasons, the platform has not disclosed the full details of the vulnerability.
Notably, Thirdweb successfully raised $24 million in a Series A funding round in August 2022, with contributions from notable entities such as Haun Ventures, Shopify, Coinbase, and Polygon.
Read the full article here