Thirdweb, a smart contract development company, has disclosed the discovery of a security vulnerability that could potentially impact various smart contracts within the Web3 ecosystem. Reported on December 4, the company identified a flaw in a widely utilized open source library that may affect specific pre-built smart contracts, including some developed by Thirdweb. Although the investigation by Thirdweb did not indicate any exploitation of the smart contract vulnerability, there remains a slim chance for the Web3 company to evade a potential security breach.
Highlighting the severity of the situation, Thirdweb emphasized the potential for significant damage if the vulnerability remains unaddressed: "Affected pre-built contracts encompass a range, including DropERC20, ERC721, ERC1155 (across all versions), and AirdropERC20." In an effort to proactively alert the Web3 ecosystem, the company urged users who deployed contracts before November 22 to take immediate mitigation measures independently or by utilizing tools provided by Thirdweb.
As part of their recommendations, Thirdweb advised developers to utilize revoke.cash, a platform aiding users in revoking approvals related to all affected contracts. Commenting on the request to revoke approvals, DefiLlama developer "0xngmi" supported the suggestion, indicating its protective nature for users who opt not to mitigate a contract. Thirdweb initiated contact with the maintainer of the open source library at the core of the vulnerability, as well as other potentially impacted teams.
To address the issue comprehensively, Thirdweb outlined increased investments in security measures and announced a doubling of bug bounty amounts from $25,000 to $50,000. Simultaneously, they plan to implement a more rigorous audit process while also providing a grant to cover the costs of mitigating the impacted contracts. Additionally, Thirdweb pledged to offer retroactive gas grants to cover the expenses incurred in addressing the mitigation of affected contracts.
To maintain security standards, detailed specifics regarding the vulnerability were not disclosed by Thirdweb. Thirdweb secured $24 million in Series A funding back in August 2022, with investors including Haun Ventures, Coinbase, Shopify, and Polygon. The company, a provider of multi-chain smart contract deployment tools for various applications like games, minting, marketplaces, and wallets, boasts a user base of over 70,000 developers utilizing its services monthly.
