Thirdweb, a prominent platform for Web3 developers, has issued a warning regarding a security vulnerability discovered in a widely used open-source library within the Web3 industry.
As revealed in a post on X (formerly Twitter) on December 5 by Thirdweb, the identified vulnerability poses a risk to various smart contracts within the Web3 ecosystem. This includes certain pre-built smart contracts accessible through Thirdweb’s dashboard or SDKs before November 22nd at 7 pm PST.
The affected pre-built contracts encompass, among others, DropERC20, ERC721, ERC1155, and AirdropERC20.
In response, major NFT platforms, such as OpenSea, Coinbase NFT, and Rarible commented on the situation.
OpenSea shared a post on X, stating that the team is actively communicating with Thirdweb regarding the security vulnerability affecting specific NFT collections. They assured users of a forthcoming update.
Similarly, in a post on X, Coinbase NFT informed users that the company is in contact with the Thirdweb team and is diligently reviewing the security of the impacted contracts.
Notably, Thirdweb sought to reassure users by asserting that any Thirdweb smart contract deployed after November 22nd at 7 pm PST (provided it is the latest version) remains unaffected by the disclosed vulnerability. Thirdweb has implemented a mitigation tool for users to check whether their contracts may have been compromised.
In response to the incident, Thirdweb has announced an increased investment in security measures. This involves doubling bug bounty payouts from $25k to $50k per bounty and implementing a more rigorous auditing process. The objective is to establish a robust environment for Web3 developers. Additionally, Thirdweb will provide a retroactive gas grant to cover fees associated with contract mitigations.
