UPDATED 12:25 EDT / DECEMBER 05 2023


Web3 firm Thirdweb discloses major vulnerability in common open-source NFT library

Thirdweb, a platform that provides developers with tools to build Web3 apps, disclosed that the company became aware of a security vulnerability in a common open-source library used by major blockchain companies to construct smart contracts for nonfungible tokens.

The company revealed Monday that it became aware of the vulnerability in a post on X, formerly Twitter, on Nov. 20, and that it affects a variety of smart contracts across the Web3 industry, including its own.

“Based on our investigation so far, this vulnerability has not been exploited in any Thirdweb smart contracts,” the company said. “However, smart contract owners must take mitigation steps on certain pre-built smart contracts that were created on Thirdweb prior to November 22nd, 2023 at 7pm PT.”

Smart contracts are an important part of blockchain-based application building and form the basis for decentralized software operations, also known as Web3 or the decentralized web. A smart contract is a piece of software that automatically executes when predetermined conditions are met when combined with blockchain technology. This provides a network of software-controlled peer-to-peer transactions across tamper-proof ledgers, allowing developers to create numerous different apps that can take advantage of this capability.

For example, developers have created decentralized financial applications, token exchanges, decentralized games and nonfungible tokens. Nonfungible tokens, or NFTs, are a type of blockchain-based crypto asset that represent the ownership of digital items such as artwork, images — which can be used as profile pictures — digital trading cards and video game items. NFTs can be created, held, bought and sold for cryptocurrency, which gives them real-world value that can be exchanged for money. They also rely on smart contract software for their operation.

Thirdweb said that the vulnerability impacted pre-built smart contracts including, but not limited to, DropERC20, ERC721, ERC1155 and AirDrop20. The company included a full list of the smart contracts affected by the vulnerability in a blog post on its website so that customers could immediately take action. The company also made available a mitigation tool and vulnerability checker online.

The company did not specify which open-source library was affected by the vulnerability, stating that withholding that information was done to “mitigate the chance of exploitation,” but the maintainers of the library had been contacted. Thirdweb went on to say that it also contacted other teams that it believed were impacted by the same issue and shared the findings and mitigation measures.

In the wake of the revelation, major Web3 industry operators such as OpenSea, which runs the largest NFT marketplace, and Coinbase Inc., the largest cryptocurrency exchange in the United States, responded to Thirdweb’s announcement.

“We are in touch with @thirdweb about the security vulnerability impacting some NFT collections,” said OpenSea, in a post on X. “Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration.”

Coinbase posted on X to say that the company was informed by Thirdweb on Friday, Dec. 1, that some of the company’s NFT collections on Coinbase NFT were affected. “We immediately responded to @thirdweb to understand the nature of the vulnerability and possible mitigation strategies,” the company said. “Today, in line with thirdweb’s disclosure timeline, we timed outreach to builders who may have deployed impacted contracts prior to Nov 22, 2023.”

Base, which is a secure and low-cost Ethereum blockchain scaling solution for developers developed by Coinbase, responded that it was contacted by Thirdweb and that the project itself was unaffected by the issue.

Although this vulnerability has been disruptive to the industry and for Thirdweb, the company says that it’s going to use it as a moment to redouble its security efforts. This includes doubling its bug bounty payouts from $25,000 to $50,000 per bounty and implementing a deeper auditing process designed to catch these sorts of potential issues sooner.

Image: geralt/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy