Smart contract development company Thirdweb reported a security vulnerability that potentially “affects a variety of smart contracts across the Web3 ecosystem.”
On December 4, Thirdweb reported a vulnerability in a commonly used open source library that could affect specific pre-built smart contracts, including some of its own. However, Thirdweb investigations concluded that the smart contract vulnerability has not yet been exploited, providing a small window of opportunity for Web3 companies to avoid a potential attack.
Highlighting the vulnerability's potential to cause massive damage if not immediately rectified, Thirdweb fixed:
“Affected prebuilt contracts include, but are not limited to, DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.”
Following the proactive warning to the Web3 ecosystem, the company warned users who deployed their contracts before November 22 to “take mitigation measures” independently or using a tool provided by the company.
IMPORTANT
On November 20, 2023 at 6 pm PST, we learned of a security vulnerability in an open source library commonly used in the web3 industry.
This affects a variety of smart contracts across the web3 ecosystem, including some of Thirdweb's pre-built smart contracts.…
– third website (@terceraweb) December 5, 2023
Thirdweb also recommended developers help users revoke approvals for all affected contracts using revoke.cash, “which will protect their users if they decide not to mitigate the contract,” DefiLlama developer “0xngmi” commented on the request to revoke approvals.
BTW this seems important, they are asking to revoke all 3rd party web contract approvals (you may have interacted with them unknowingly as they are white labeled, especially if you do nfts related stuff) https://t.co/T1YU9xnIRb
-0xngmi (@0xngmi) December 5, 2023
Thirdweb has reached out to the maintainers of the open source library at the root of the vulnerability and has reached out to other teams potentially affected by the issue.
It also pledged to increase investment in security measures and double bug bounty payments from $25,000 to $50,000 while implementing a more rigorous auditing process. The firm also offered a grant to cover contract mitigations.
“We understand this will cause disruption and we are treating mitigation of the issue with the utmost seriousness. “We will offer a retroactive gas grant to cover contract mitigation fees.”
Full details of the vulnerability were not disclosed for security reasons, and Cointelegraph contacted Thirdweb for further updates, but was unable to do so. redirected to the blog post.
Related: 5 smart contract vulnerabilities: how to identify and mitigate them
The company raised $24 million in a Series A funding round with Haun Ventures, Coinbase, Shopify, and Polygon in August 2022.
The Web3 company, which provides multi-chain smart contract deployment tools for gaming, minting, marketplaces, and wallets, claims to have over 70,000 developers using its services monthly.
Magazine: Real Cryptocurrency ai Use Cases – Cryptocurrency-Based ai Markets and ai Financial Analysis