Thirdweb, a smart contract development entity operating within the Web3 ecosystem, has detected a security vulnerability that has the potential to impact a variety of smart contracts in the Web3 domain. The company, which supplies tools for deploying multi-chain smart contracts in areas like gaming, minting, marketplaces, and wallets, caters to a user base exceeding 70,000 developers.
No panic just yet
On December 4th, Thirdweb revealed a vulnerability in a widely used open-source library, affecting specific pre-built smart contracts, including some developed by the company. Despite the identification of this vulnerability, the investigations have determined that there has been no exploitation of the flaw in smart contracts. This presents a limited timeframe for Web3 firms to implement preventive measures and avoid potential security breaches.
Thirdweb nevertheless stressed the urgency of addressing the vulnerability promptly, highlighting the risk associated with affected pre-built contracts such as DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20 if left unrectified.
In response to the discovery, Thirdweb issued a proactive warning to the Web3 ecosystem, urging users who deployed its contracts before November 22nd to take independent mitigation steps or use a tool provided by the company.
Time is of the essence
Thirdweb recommended that developers assist users in revoking approvals on all affected contracts using revoke.cash, as suggested by DefiLlama developer 0xngmi. This measure aimed to offer additional protection to users who might choose not to implement contract mitigation steps.
In light of the identified vulnerability in the open-source library, Thirdweb has taken proactive measures. The company has reached out to the maintainers of the open-source library responsible for the vulnerability and contacted other teams that may be affected. Thirdweb has also committed to enhancing its investment in security, doubling bug bounty payouts to $50,000, and implementing a more rigorous auditing process for its smart contract deployment tools.
Moreover, Thirdweb is providing a grant to cover contract mitigations for affected users, although the full details of the vulnerability remain undisclosed for security reasons. It is noteworthy that Thirdweb successfully raised $24 million in a Series A funding round in August 2022, with contributions via prominent entities like Haun Ventures, Shopify, Coinbase, and Polygon.