ThirdWeb Discloses Smart Contract Vulnerability in Popular Open Source Library

Admin

December 05, 2023

Table of Contents

ThirdWeb, a leading web3 development platform, recently disclosed a critical security vulnerability impacting some of its smart contracts.

In a detailed blog post, the company outlined the issue, confirmed the contracts affected, and provided a mitigation tool and recommendations for users to secure their contracts.

On November 20th, ThirdWeb was made aware of a vulnerability in a commonly used open source library that is leveraged in some of their smart contracts. After conducting an investigation alongside audit partners, ThirdWeb confirmed that the vulnerability could enable unauthorized access and administration capabilities in affected contracts.

While ThirdWeb stated that there are no known exploits of the issue in their contracts so far, they stressed that immediate action should be taken by customers to lock and migrate vulnerable contracts to new instances without the vulnerability.

IMPORTANT

On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.

This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
— thirdweb (@thirdweb) December 5, 2023

Impacted Smart Contracts

The vulnerability impacts the following ThirdWeb smart contracts that were deployed before November 22nd at 7PM PST:

AirdropERC20 (v1.0.3 and later)
ERC721 (v1.0.4 and later)
ERC1155 (v1.0.4 and later)
ERC20Claimable
ERC721Claimable
ERC1155Claimable
BurnToClaimDropERC721 (all versions)
DropERC20, ERC721, ERC1155 (all versions)
LoyaltyCard
MarketplaceV3 (All versions)
Multiwrap, Multiwrap_OSRoyaltyFilter
OpenEditionERC721 (v1.0.0 and later)
Pack and Pack_OSRoyaltyFilter
TieredDrop (all versions)
TokenERC20, ERC721, ERC1155 (all versions)
SignatureDrop, SignatureDrop_OSRoyaltyFilter
Split (low impact)
TokenStake, NFTStake, EditionStake (All versions)

Any contracts deployed after November 22nd at 7PM PST using the latest third web SDKs or dashboards contain the fix and are not impacted.

Custom contracts built on top of thirdweb's base contracts are also likely not affected, but thirdweb cannot guarantee this.

Mitigation Tool and Recommendations

To assist affected customers in securing contracts, ThirdWeb has released a mitigation tool.

The tool allows users to check if their contract is vulnerable, and provides step-by-step instructions tailored to the contract type on how to lock it down and migrate assets to a new, safe instance.

In most cases, the recommendation is to lock the contract to revoke permissions, disable transfers, and take a snapshot of current token holders. Users can then choose to either airdrop replacement tokens to the snapshotted addresses or provide a claim site for holders to claim new tokens by signing transactions.

ThirdWeb stresses that before locking contracts, holders should withdraw any tokens they have staked or put into liquidity pools to avoid losing access. Users should also approve contract interactions via revoke to further protect themselves.

Detailed documentation on using the mitigation tool can be found on the ThirdWeb support site.

Enhanced Security Efforts

In addition to building the mitigation tool, ThirdWeb states they are significantly increasing security measures moving forward. This includes doubling the bug bounty for vulnerabilities uncovered by security researchers from $25,000 to $50,000.

The company will also be employing more rigorous auditing processes and general security hardening of its smart contract codebase. They state that creating a robust environment for web3 developers is a top priority.

Analysis and Implications

The vulnerability disclosure and mitigation recommendations provided by ThirdWeb serve as an example of transparency and effective customer support. By providing actionable information and tools for securing impacted contracts, ThirdWeb reduces the risk to web3 developers building on their platform.

However, the event also highlights the nascent state of smart contract security. Libraries and tools meant to simplify and speed development can inadvertently introduce risks if not thoroughly vetted. While auditing and formal verification solutions are advancing, virtually no contract can be declared "risk-free".

The Thirdweb hasn't disclosed any further details, such as the vulnerable library identity or the exploit details.

For any questions related to securing a vulnerable contract, ThirdWeb emphasizes contacting them directly via email at [email protected]. General questions can be directed to the same address.