Web3 Company Uncovers Significant Security Vulnerability in Widely-Used Smart Contracts
Thirdweb, a leading smart contract development company, has identified a critical security flaw in the Web3 environment, urging immediate action to prevent potential breaches.
Smart contract development company Thirdweb recently identified a security flaw that could potentially affect numerous smart contracts within the Web3 environment. On December 4, Thirdweb disclosed a vulnerability in a widely-used open-source library that might impact certain pre-built smart contracts, including some developed by Thirdweb itself. Fortunately, their investigation found no evidence of exploitation, providing a critical opportunity for Web3 entities to preempt a potential breach.
Thirdweb emphasized the urgency of addressing this vulnerability to prevent extensive damage, noting that affected contracts include DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20. The company advised users who implemented its contracts before November 22 to undertake mitigation steps, either independently or with a tool provided by Thirdweb.
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.… — thirdweb (@thirdweb) December 5, 2023
Developers are also encouraged to use revoke.cash to help users withdraw approvals on all compromised contracts, offering protection in case contract mitigation is not chosen. Thirdweb has informed the maintainers of the vulnerable open-source library and reached out to other teams that might be affected.
In response to this issue, Thirdweb has committed to enhancing its security protocols, including doubling its bug bounty rewards to $50,000 and implementing more stringent auditing procedures. The company also announced a grant to assist with contract mitigations, acknowledging the potential disruption this vulnerability may cause. While full details of the vulnerability remain undisclosed for security reasons, Thirdweb remains open to providing further updates.
Thirdweb, which raised $24 million in a Series A funding round in August 2022, offers multichain smart contract deployment tools for various applications and boasts over 70,000 monthly users.