Web3 developer platform Thirdweb disclosed a major security vulnerability discovered in its open-source library.
This vulnerability, which Thirdweb became aware of on Nov. 20, affects multiple NFT collections — specifically, pre-built smart contracts it provided. However, the firm has not clarified which specific collections may be impacted.
One of the largest NFT trading platforms, OpenSea, came forward in response — noting that some NFT collections on its platform were impacted. OpenSea said it’s working with those collections to mitigate security issues. “We are in touch with Thirdweb about the security vulnerability impacting some NFT collections. Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration,” OpenSea wrote.
Coinbase NFT said it was notified of the security vulnerability on Dec. 1 and impacts “some NFT collections on Coinbase NFT created with Thirdweb.”
The Coinbase-backed Layer 2 network, Base, also stated the issue affects some of the NFT contracts deployed on the network.
Thirdweb said in its disclosure today that, to its knowledge, the vulnerability has not been exploited in any of the projects using its smart contracts. However, it reiterated that smart contract owners must take measures for specific pre-built contracts created on Thirdweb to mitigate potential exploitation of this vulnerability. Affected pre-built contracts include “DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20”.
In most cases, mitigation will involve locking the contract, taking snapshots, and migrating to a new contract without known vulnerabilities. If contract builder holders have tokens locked in any liquidity or staking pools, they should withdraw them before starting these steps.
Source: The Block
