Web3 Firm Thirdweb Finds Major Vulnerability In Smart Contracts

Brian Yue
Last updated: | 1 min read
In an X post on Monday, the firm notified its followers that it had found a vulnerability in a commonly used open-source library that could impact specific pre-built smart contracts, including some of its own.
Source: Pixabay

Web3 developer Thirdweb has disclosed a security vulnerability that has the potential to affect a range of smart contracts within the Web3 ecosystem.

In an X post on Monday, the firm notified its followers that it had found a vulnerability in a commonly used open-source library that could impact specific pre-built smart contracts, including some of its own.

Luckily, Thirdweb’s investigations determined that the smart contract vulnerability remains unexploited, providing a brief window of opportunity for Web3 firms to take preventive measures and mitigate the risk of a potential hack.

“In most cases, the mitigation steps will involve locking the contract, taking a snapshot and migrating to a new contract without the known vulnerability,” the firm said on X. “The exact steps you need to take will depend on the nature of your smart contract, and you can determine these using the tool.”

Thirdweb noted that the impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20. The company included a link to see a full list of impacted smart contracts and mitigation steps.

The company advised users who had deployed the listed smart contracts before November 22 to immediately take mitigation steps or use a company-provided tool.

Thirdweb also recommended developers assist users in revoking approvals on all affected contracts through revoke.cash. DefiLlama developer “0xngmi” noted in a reply to the post that this would “protect your users if you choose not to mitigate the contract.”

Following the discovery of the vulnerability, Thirdweb has committed to increasing investments in security measures. The firm plans to double bug bounty payouts, raising them from $25,000 to $50,000, and is implementing a more stringent auditing process. The Web3 developer will also provide a grant to cover the costs associated with contract mitigations.

“We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness,” the firm continued in its post. “We will be offering a retroactive gas grant to cover fees for contract mitigations.”

Thirdweb is a Web3 developer that provides multichain smart contract deployment tools for minting, gaming, wallets, and more. The firm claims to have more than 70,000 developers using its services monthly.

The company previously raised $24 million in a Series A funding round with Haun Ventures, Coinbase, Shopify and Polygon in August 2022.