On December 4, Thirdweb, a leading smart contract development firm, revealed the existence of a security vulnerability that has the potential to impact a range of smart contracts within the Web3 ecosystem. The firm reported the vulnerability in a widely used open-source library, which could affect specific pre-built smart contracts, including some developed by Thirdweb itself. Importantly, Thirdweb’s investigations concluded that the vulnerability has not yet been exploited, providing a crucial window for Web3 firms to address the issue and prevent potential hacks.
The identified vulnerability extends to commonly used pre-built contracts such as DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20. Thirdweb issued a proactive warning to the Web3 community, urging users who deployed its contracts before November 22 to take independent mitigation steps or use a tool provided by the company.
To address the situation, Thirdweb has reached out to the maintainers of the open-source library responsible for the vulnerability and contacted other teams that may be affected. The company has committed to enhancing its investment in security measures, doubling bug bounty payouts from $25,000 to $50,000, and implementing a more rigorous auditing process. Additionally, Thirdweb is offering a grant to cover the costs associated with contract mitigations.
In response to potential disruptions caused by these security measures, Thirdweb assured the affected users that a retroactive gas grant would be provided to cover fees for contract mitigations. Full details of the vulnerability were not disclosed for security reasons.
Thirdweb, which secured $24 million in a Series A funding round in August 2022 with support from Haun Ventures, Coinbase, Shopify, and Polygon, is a prominent player in the Web3 space. The company provides multichain smart contract deployment tools for gaming, minting, marketplaces, and wallets, boasting a user base of over 70,000 developers utilizing its services on a monthly basis. As the Web3 community grapples with potential security risks, Thirdweb’s proactive approach underscores the industry’s commitment to safeguarding the integrity of smart contracts.
