The Web3 company is aware of major security flaws in shared smart contracts
A third-party website, a smart contract development firm, has reported a security vulnerability that “could affect various smart contracts on the Web3 ecosystem.”
On December 4th, Thirdweb reported a vulnerability in a commonly used open source library, including some pre-built smart contracts, including its own. However, third-party web investigations have revealed that smart contract vulnerabilities have yet to be exploited, allowing Web3 companies little chance to avoid a potential hack.
Highlighting the vulnerability's potential to cause significant damage if not addressed promptly, Thirdweb said:
“The affected pre-built contracts are not limited to DropERC20, ERC721, ERC1155 (all versions) and AirdropERC20.”
Following an early warning for the Web3 ecosystem, the company warned users who deployed the contract before November 22 to “take mitigation measures” either individually or using company-provided tools.
Important
In the year On November 20, 2023 at 6:00 PM PST, we became aware of a security vulnerability in a widely used open source library in the Web3 industry.
This affects various smart contracts on the web3 ecosystem, including some third-party pre-built smart contracts.…
— Third Web (@thirdweb) December 5, 2023
Thirdweb also advised developers to revoke approvals on all affected contracts using revoke.cash, which protects your users if they choose not to revoke the contract. Defilama developer commented on request to revoke approvals for “0xngmi”.
btw this seems important, they are asking to revoke all approvals for 3rd web contracts (you may have been dealing with them without realizing they were white-labeled, especially if you work in the nfts area) https://t.co/T1YU9xnIRb
— 0xngmi (@0xngmi) December 5, 2023
The Third Web has contacted the custodians of the open source library at the root of the vulnerability and other groups that may be affected by the issue.
He also pledged to implement a more stringent audit process for security measures and double bug bounty payments from $25,000 to $50,000. The firm offered financial assistance to cover contract cuts.
“We understand this will cause disruption, and we are pursuing mitigation with the utmost concern. We will be issuing a retroactive gas grant to cover contract curtailment payments.”
Full details of the vulnerability have not been disclosed for security reasons, and Cointelegraph has contacted a third website for further updates, but has been redirected to a blog post.
Related: 5 Smart Contract Vulnerabilities: How to Identify and Mitigate
The firm raised $24 million in Series A funding in August 2022 with Haun Ventures, Coinbase, Shopify and Polygon.
Web3, a company that provides multi-chain smart contract deployment tools for gaming, entrepreneurship, marketplaces and wallets, says it has more than 70,000 developers using its service every month.
Magazine: Real AI use cases in crypto: Crypto-based AI markets and AI financial analysis
