Leading Web3 developer platform Thirdweb has recently uncovered a major security vulnerability in a widely used open-source library, impacting pre-built smart contracts and multiple NFT collections. This discovery has drawn concerns within the Web3 community.
Prompt Response and Collaborative Efforts
Thirdweb confirmed that, to their knowledge, no exploitation of this vulnerability occurred in projects utilizing their smart contracts. However, they have emphasized smart contract owners’ need to undertake specific actions concerning certain pre-built contracts developed on Thirdweb, preventing possible misuse.
Thirdweb identified the vulnerability on November 20, affecting its pre-built smart contracts, including those on OpenSea and the Coinbase NFT platform. OpenSea acknowledged the issue and said, “Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration.”
Coinbase NFT also responded to the security vulnerability, being informed on December 1 about the affected collections on their platform. They said, “In line with thirdweb’s disclosure timeline, we timed outreach to builders who may have deployed impacted contracts before November 22, 2023.”
Both OpenSea and Coinbase NFT have also assured their users that no security breaches happened on their respective platforms, and customers can remain confident about the safety of their funds. Furthermore, the Layer 2 network Base said that the vulnerability affects some of Thirdweb’s pre-built contracts deployed on Base; however, “Base itself is unaffected by this issue. All funds on Base are safe.”
Mitigating Vulnerabilities and Ensuring User Safety
Addressing the smart contract security vulnerability issue, Thirdweb has shared an announcement with steps to take for those affected. They say, “Our immediate priority is to protect our customers impacted by this vulnerability. Users who deployed one of these impacted pre-built smart contracts using thirdweb’s dashboard or SDKs before November 22 at 7pm PST need to perform some mitigation steps.”
To address this vulnerability, Thirdweb recommends that affected smart contract owners lock their contracts, capture snapshots, and progress to new contracts. OpenSea and Coinbase NFT have committed to supporting collection owners while undergoing these mitigation steps.
This incident serves as a crucial reminder of the need for vigilance and prompt action in tackling security issues within the rapidly changing landscape of Web3 and NFTs.