Web3 development firm Thirdweb recently detected a serious security vulnerability that could impact hundreds of Ethereum-based smart contracts built using a popular open-source code library. In a Dec 4th announcement, Thirdweb warned the flaw could affect contracts across the crypto ecosystem, including some of their own pre-built offerings for NFTs, airdrops, and tokens.
As Thirdweb stated, “The impacted pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.” They advised any users who deployed affected Thirdweb contracts prior to Nov 22nd to immediately take mitigation steps either independently or using a tool provided by the company.
Importantly, Thirdweb noted that while the vulnerability poses massive risk, they do not believe it has been actively exploited yet, allowing a small window to avoid potential hacks. Beyond their own users, Thirdweb has contacted the open-source library maintainers and other teams likely impacted.
To incentivize damage control, Thirdweb is doubling its bug bounty payouts from $25,000 to $50,000 for the next month and will be offering gas reimbursements to cover mitigation costs. The company said it will also be bolstering security practices moving forward with more stringent auditing. However, specific details of the vulnerability are not being shared publicly for safety reasons.
As a provider of easy smart contract deployment infrastructure with over 70,000 monthly active developers, a flaw in Thirdweb’s technology could have ripple effects across many Ethereum projects. Users of crypto services that leverage smart contracts should pay attention in the event their applications or assets are affected and require updating.
While disruptive in the short-term, the discovery of this major vulnerability before any known exploits is a positive sign for the growing Web3 sector. As adoption spreads, thorough auditing and disclosure of issues by development teams like Thirdweb will prove critical to avoiding massive crypto heists seen in previous years. The response exhibits increased maturity even if flaws remain.