What We Know About The Contract Vulnerability Worrying Web3 – Crypto News

Today, thirdweb—creators of a popular web3 development toolkit—disclosed the existence of a major vulnerability in an open-source code library that is widely-used in smart contracts throughout web3.

According to thirdweb, this vulnerability was present—but not yet taken advantage of—in a number of thirdweb’s pre-built smart contracts. “Based on our investigation so far, this vulnerability has not been exploited in any thirdweb smart contracts. However, smart contract owners must take mitigation steps on certain pre-built smart contracts that were created on thirdweb prior to November 22nd, 2023 at 7pm PT,” they said in a post on X.

Thirdweb noted that the vulnerability may have been present in some of the pre-built contracts that their users had set up to drop fungible or non-fungible tokens—including some ERC20, ERC721 and ERC1155s.

While they have not disclosed the nature of the vulnerability—stating on their newly-launched mitigation website that this would risk the security of others—thirdweb have included a full list of their affected contracts on that site, and have provided detailed instructions and tools for their users who need to take immediate steps to mitigate the risk. “In most cases, the mitigation steps will involve locking the contract, taking a snapshot and migrating to a new contract without the known vulnerability. The exact steps you need to take will depend on the nature of your smart contract, and you can determine these using the [mitigation] tool,” they said on X.

At present, the extent of where and how this vulnerable open-source library is deployed in other smart contracts across the web3 ecosystem is confirmed—which is causing concern across web3, with developers, builders and creators fielding worried questions from clients and colleagues. “Has anything actually been disclosed? I’ve seen this ‘we found something’ post and a bunch of others like Rarible saying ‘they found something’ but no one has said what it is or what to do or even what is impacted exactly. It’s a little frustrating because I woke up to a dozen panicked emails from various projects I’ve worked on saying ‘are we impacted? What do we need to do??’ And all I can say is ‘no idea, we just have to wait and see what gets revealed in the coming days,’” Sean Bonner, artist and veteran project creator, told nft now. “It would have been nice if the announcement also included the fix instead of just launching everyone into the unknown,” he said.

As thirdweb’s contracts have been commonly used to create NFT collections, marketplaces have been quick to respond, including OpenSea, Coinbase NFT and Rarible, which used affected thirdweb contracts in a number of drops. Although information is still sparse, the marketplaces have taken public steps to reassure users. In a post on X, Rarible addressed creators. “If your drop was on Polygon, there’s nothing you need to do. We are mitigating the issue, and we will be in touch when the solution has been implemented. If your drop was on Ethereum, you don’t need to do anything yet. We will address the vulnerability, and will be in touch with a plan for redistributing tokens on a secured contract. We will continue to monitor this issue & keep our users informed,” they posted.

“OpenSea is in touch with thirdweb after their disclosure of a security vulnerability that impacts a subset of collections,” their spokesperson told nft now. “Thirdweb has published a blog post that outlines the steps creators can take to migrate their collections to a new smart contract without the known vulnerability. We strongly encourage impacted collection owners to take action, and we are evaluating how to support the newly migrated collections on OpenSea,” they said.

Although the issue’s underlying cause is linked to third-party tooling, the OpenSea team is coordinating closely with thirdweb to support a resolution, while taking proactive measures on their own platform to ensure user safety. They also emphasized that their own SeaDrop contract is not affected. In response to a question on X, OpenSea business development lead Will Brooke underscored this point. “Confirmed—does not affect ERC721SeaDrop,” he wrote.

OpenZeppelin, the secure blockchain standard whose libraries may have been involved in the disclosed vulnerability, offered a a write-up on X, sharing early results from their enquiry that may reassure a worried web3 community. “Based on our investigation, the issue is inherent to a problematic integration of specific patterns, and NOT particular to the implementations contained in the OpenZeppelin Contracts library. Nonetheless, we will lead the effort to assess who in the community is affected and provide them with mitigation strategies. At the appropriate time, we will responsibly disclose this vulnerability following best practices for the safety of the community,” they wrote. They also assured the public that after giving those affected time to mitigate the vulnerability, they will disclose it in accordance with responsible cybersecurity practices.

The post What We Know About The Contract Vulnerability Worrying Web3 appeared first on nft now.