Thirdweb Exposes Security Flaw in Web3 Smart Contracts

Thirdweb, a company that develops smart contracts, has disclosed a security flaw that “may affect an assortment of smart contracts throughout the Web3 ecosystem.”

Thirdweb disclosed a vulnerability in a widely utilized open-source library on December 4, which had the potential to affect particular pre-built smart contracts, including some that it had developed.

Nevertheless, according to the findings of Thirdweb’s investigations, the smart contract vulnerability has yet to be exploited, providing Web3 companies with a brief opportunity to avert a potential breach.

Thirdweb issued a proactive advisory to the Web3 ecosystem and advised users who deployed its contracts before November 22 to “take mitigation steps,” either on their own or with the help of a tool the company provided.

“The impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.”

The advisory emphasized the potential for the vulnerability to result in significant harm if not addressed promptly. Thirdweb additionally recommended that developers assist users in rescinding approvals on all impacted contracts through the use of revoke.cash.

“This will safeguard your users in the event that you opt not to mitigate the contract,” DefiLlama developer “0xngmi” added in response to the request to revoke approvals.

Thirdweb has initiated communication with the maintainers of the open-source library that contains the critical flaw, as well as with other teams that may be affected by the situation.

Furthermore, it made a commitment to augment funding for security measures, double the amount awarded for bug bounty contributions from $25,000 to $50,000, and enforce a more stringent auditing procedure. Additionally, the company provided a grant to address contract mitigations.

“We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness. We will be offering a retroactive gas grant to cover fees for contract mitigations.”

For security purposes, complete information regarding the vulnerability was withheld. In August 2022, the company secured $24 million in Series A funding from Haun Ventures, Coinbase, Shopify, and Polygon.

Monthly usage of the Web3 company’s multichain smart contract deployment tools for gaming, minting, marketplaces, and wallets is reportedly in excess of 70,000 developers.