ThirdWeb Discloses Smart Contract Vulnerability in Popular Open Source Library
In a detailed blog post, the company outlined the issue, confirmed the contracts affected, and provided a mitigation tool and recommendations for users to secure their contracts.
On November 20th, ThirdWeb was made aware of a vulnerability in a commonly used open source library that is leveraged in some of their smart contracts. After conducting an investigation alongside audit partners, ThirdWeb confirmed that the vulnerability could enable unauthorized access and administration capabilities in affected contracts.
While ThirdWeb stated that there are no known exploits of the issue in their contracts so far, they stressed that immediate action should be taken by customers to lock and migrate vulnerable contracts to new instances without the vulnerability.
IMPORTANT
— thirdweb (@thirdweb) December 5, 2023
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
Impacted Smart Contracts
The vulnerability impacts the following ThirdWeb smart contracts that were deployed before November 22nd at 7PM PST:
- AirdropERC20 (v1.0.3 and later)
- ERC721 (v1.0.4 and later)
- ERC1155 (v1.0.4 and later)
- ERC20Claimable
- ERC721Claimable
- ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, ERC721, ERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ERC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
Mitigation Tool and Recommendations
To assist affected customers in securing contracts, ThirdWeb has released a mitigation tool.
The tool allows users to check if their contract is vulnerable, and provides step-by-step instructions tailored to the contract type on how to lock it down and migrate assets to a new, safe instance.
In most cases, the recommendation is to lock the contract to revoke permissions, disable transfers, and take a snapshot of current token holders. Users can then choose to either airdrop replacement tokens to the snapshotted addresses or provide a claim site for holders to claim new tokens by signing transactions.
ThirdWeb stresses that before locking contracts, holders should withdraw any tokens they have staked or put into liquidity pools to avoid losing access. Users should also approve contract interactions via revoke to further protect themselves.
Detailed documentation on using the mitigation tool can be found on the ThirdWeb support site.
Enhanced Security Efforts
In addition to building the mitigation tool, ThirdWeb states they are significantly increasing security measures moving forward. This includes doubling the bug bounty for vulnerabilities uncovered by security researchers from $25,000 to $50,000.
The company will also be employing more rigorous auditing processes and general security hardening of its smart contract codebase. They state that creating a robust environment for web3 developers is a top priority.
Analysis and Implications
The vulnerability disclosure and mitigation recommendations provided by ThirdWeb serve as an example of transparency and effective customer support. By providing actionable information and tools for securing impacted contracts, ThirdWeb reduces the risk to web3 developers building on their platform.
However, the event also highlights the nascent state of smart contract security. Libraries and tools meant to simplify and speed development can inadvertently introduce risks if not thoroughly vetted. While auditing and formal verification solutions are advancing, virtually no contract can be declared "risk-free".
The Thirdweb hasn't disclosed any further details, such as the vulnerable library identity or the exploit details.