After confirming a major security vulnerability, Web3 development toolkit Thirdweb doubled its bug bounty rewards, increasing it from $25,000 to $50,000.
The official announcement highlighted the vulnerability’s potential to impact “a variety of smart contracts across the Web3 ecosystem”, if not rectified immediately. It said:
“The impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.”
The security flaw was first detected on 20 November 2023 in one of its regular smart contract audits. It exists in a commonly used open-source library for Web3 smart contracts, including some of thirdweb’s pre-built smart contracts.
However, this vulnerability has not been exploited in any of Thirdweb smart contracts, assured the firm, based on its investigation done alongside audit partners.
Proactive measures
The firm has identified 13 smart contracts that were affected due to the vulnerability, including AirdropERC20, ERC721 and ERC1155 to name a few.
Prioritising its customers, the platform advised contract owners to perform some mitigation steps to ensure their protection. This was directed to the ones who had previously deployed one of the impacted pre-built smart contracts using Thirdweb’s dashboard or SDKs before November 22nd at 7pm PST.
This might involve contract locking, snapshot creation, and migration to a new contract, depending on the contract’s nature. It then asked developers to help users revoke approvals on all affected contracts using revoke.cash, “which will protect your users if you choose not to mitigate the contract”.
The team is now working with the maintainers of the open-source library who are at the root of this vulnerability. It has also contacted other teams who have been potentially impacted by the security flaw.
Nothing to worry about
Many, including leading NFT platform OpenSea, responded to the concerns raised by Thirdweb regarding the vulnerability.
While OpenSea confirmed holding discussions regarding security concerns in specific NFT collections, others like CoolCats and ApesRare NFT collections reassured their holders that they were not affected by it.
OpenSea also hinted about forthcoming support for affected collection owners and anticipated changes related to contract migration on their platform. CoolCats, on the other hand, announced its plans to migrate its Avatar System packs contract for much stronger security.
As of writing, full details of the vulnerability have not been disclosed by Thirdweb yet. Alongside doubling the bug bounty payouts, it has pledged to implement a more rigorous auditing process. There was also a promise of a grant for covering contract mitigations:
“We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness. We will be offering a retroactive gas grant to cover fees for contract mitigations.”
Thirdweb is known for providing multi-chain smart contract deployment tools for gaming, minting, marketplaces and wallets. It claims to attract over 70,000 developers every month, offering them to build on over a thousand EVM chains.
