Thirdweb detects a major security flaw in widely-used smart contracts, prompting urgent mitigation efforts and increased security investments.
In a recent development for the Web3 sector, Thirdweb, a key player in smart contract development, has identified a significant security loophole. This flaw potentially jeopardizes numerous smart contracts crafted with a widely-utilized open-source library. The disclosure of this vulnerability by Thirdweb marks a vital moment in the Web3 ecosystem, as it affects a broad range of smart contracts.
Vulnerability Details and Impact
Thirdweb discovered this security gap on December 4, which could influence several pre-built smart contracts, including some of its own creations. Despite the gravity of the situation, Thirdweb confirmed that there has been no exploitation of this vulnerability yet. This offers a crucial opportunity for firms within the Web3 space to prevent potential hacking incidents.
The company revealed that the vulnerability could have far-reaching consequences, particularly affecting pre-built contracts like DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20. In light of this discovery, Thirdweb is advising users who implemented its contracts before November 22 to undertake necessary mitigation steps. They can do this independently or by employing a tool provided by the company.
Mitigation Efforts and Developer Assistance
To assist developers in safeguarding users, Thirdweb recommends the use of revoke.cash for revoking approvals on all affected contracts. This step is critical for protection, especially for those opting not to mitigate the contract directly. DefiLlama developer “0xngmi” has echoed the importance of this action.
In response to this situation, Thirdweb is reaching out to maintainers of the open-source library at the heart of the vulnerability. The company is also communicating with other teams that might be impacted by this issue. Furthermore, Thirdweb is committing to heightened security measures, including doubling its bug bounty payouts from $25,000 to $50,000 and introducing more stringent auditing processes.
Increased Security Investments and Support
Acknowledging the disruption this might cause, Thirdweb has pledged to offer a retroactive gas grant to cover fees associated with contract mitigations. Although the full details of the vulnerability have been withheld for security reasons, Thirdweb is keeping the community updated through its blog.
In August 2022, Thirdweb raised $24 million in a Series A funding round, which included investments from Haun Ventures, Coinbase, Shopify, and Polygon. Lastly, the company, renowned for its multichain smart contract deployment tools used in gaming, minting, marketplaces, and wallets, boasts a monthly user base of over 70,000 developers.