Smart contract development company Thirdweb recently identified a critical security flaw that could affect numerous smart contracts throughout the Web3 ecosystem.
On December 4, Thirdweb disclosed a vulnerability in a widely-used open-source library, potentially impacting various pre-built smart contracts, including some developed by Thirdweb itself. Fortunately, Thirdweb’s investigation found that this vulnerability had not been exploited yet, offering a brief period for Web3 entities to prevent potential hacking incidents.
Thirdweb emphasized the urgency of addressing this issue, noting the significant risk it poses:
“The affected pre-built contracts include, but are not limited to, DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.”
In response to this discovery, Thirdweb alerted the Web3 community and advised users who had implemented its contracts before November 22 to undertake necessary mitigation measures. These measures could be carried out independently or with a tool provided by the company. Additionally, Thirdweb recommended that developers assist users in revoking approvals on all compromised contracts using revoke.cash. This step, as DefiLlama developer “0xngmi” pointed out, is crucial for user protection, especially for those opting not to modify the contract.
Thirdweb has reached out to the maintainers of the open-source library central to this vulnerability and has also informed other teams that might be affected.
To further enhance security, Thirdweb committed to increasing its investment in security protocols and announced a doubling of its bug bounty rewards, raising them from $25,000 to $50,000. The company also plans to implement more stringent auditing procedures and has offered a grant to assist with contract mitigation costs.
Acknowledging the inconvenience this issue may cause, Thirdweb stated:
“We recognize the disruption this may cause and are fully committed to addressing this issue with the highest level of urgency. We will also provide a retroactive gas grant to cover the expenses for contract mitigations.”
While full details of the vulnerability remain undisclosed for security reasons, Cointelegraph’s attempt to get more information from Thirdweb redirected them to the company’s blog post. In August 2022, Thirdweb secured $24 million in Series A funding from notable investors including Haun Ventures, Coinbase, Shopify, and Polygon.
As a Web3 company offering multi-chain smart contract deployment tools for various applications like gaming, minting, marketplaces, and wallets, Thirdweb boasts a monthly user base of over 70,000 developers.
Get $200 Free Bitcoins every hour! No Deposit No Credit Card required. Sign Up