Web3 developer platform, Thirdweb, has identified a security vulnerability in widely used open source libraries, impacting various smart contracts in the Web3 ecosystem. This includes some of Thirdweb's pre-built smart contracts. Immediate action is required for contracts created before November 23.
Security Alert
Thirdweb's team revealed the vulnerability on November 21, Beijing time. The affected open source libraries are integral to the Web3 industry, posing potential risks to smart contracts. While no exploitation has been reported in Thirdweb's contracts, owners of certain pre-built contracts created before 11:00 Beijing time on November 23, such as DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20, must implement mitigation measures.
Mitigation Steps
For contract builders who deployed pre-built smart contracts using Thirdweb's dashboard or SDK before 11:00 UTC on November 23, urgent steps are necessary. Mitigation typically involves locking the contract, taking snapshots, and migrating to a new contract without known vulnerabilities.
Important Considerations
Contract holders with tokens in liquidity or staking pools should withdraw them before initiating mitigation steps. Failure to do so may hinder the distribution of new tokens. Contract builders are also advised to request users to revoke approval for all ThirdWeb contracts through http://revoke.cash.
Immediate Response
Thirdweb has promptly rolled out remediation measures for all affected pre-built contracts created after 11:00 Beijing time on November 23. Notably, other ThirdWeb services, including wallet, payment, and infrastructure services, remain unaffected and continue normal operations.
Conclusion
Thirdweb emphasizes its commitment to protecting customers from potential vulnerabilities. Contract builders are urged to adhere to the provided mitigation steps to safeguard their smart contracts and user interests.
While Thirdweb demonstrates swift remediation, the incident underscores the importance of ongoing vigilance in the dynamic landscape of Web3 development.