Some creators of Ethereum NFT projects are scrambling to secure their collections after Thirdweb, a prominent crypto development platform, disclosed issues with its smart contracts late Monday.
Thirdweb wrote that a security vulnerability in a “commonly used open-source library for Web3 smart contracts” was discovered, and that it affects pre-built contracts offered by Thirdweb among others. Smart contracts hold the code that power autonomous decentralized apps (dapps) and NFT collections.
Due to the apparent seriousness of the vulnerability, Thirdweb is not disclosing which open-source library was the root of the exploit, or details on what the exploit entails. OpenZeppelin, a widely used open-source library for smart contracts, has since come out to say that the issue isn’t tied to its repository.
“Based on our investigation, the issue is inherent to a problematic integration of specific patterns, and not particular to the implementations contained in the OpenZeppelin Contracts library,” it tweeted—but added that it would still “lead the effort to assess who in the community is affected and provide them with mitigation strategies.”
IMPORTANT
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
— thirdweb (@thirdweb) December 5, 2023
Thirdweb said that it does not believe that any smart contracts have yet been exploited, but it recommends that projects undertake a mitigation process that includes locking down their current smart contract and migrating to a new one, then airdropping tokens to current holders. The company said that it would help cover network fees associated with migrating holders from an affected smart contract.
According to Thirdweb, it became aware of the contract vulnerability on November 20 and rolled out a fix to its pre-built smart contract templates on November 22. As a result, any Thirdweb smart contracts deployed after 10 p.m. ET on November 22 are believed to be safe, but those deployed prior to then may be affected.
Is NFT Winter Over? Prices Climb as Bitcoin and Ethereum Surge
The exploit is tied to NFT smart contracts that use the Ethereum ERC-721 and ERC-1155 standards, but also fungible tokens minted via the ERC-20 standard. A full list of affected contract types is available via Thirdweb’s blog post, along with a mitigation tool that can identify any impacted contracts.
Many major industry players have come out to weigh in on how the issue may impact their users, NFT holders, and NFT project creators.
We are in touch with @thirdweb about the security vulnerability impacting some NFT collections. Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration. Please read @thirdweb’s post below for more detail. https://t.co/HU6bmXWU7U
— OpenSea (@opensea) December 5, 2023
Major NFT marketplace OpenSea tweeted that users should “stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration.” Rarible, another NFT marketplace, said that some NFT drops on its platform are also affected across Ethereum and sidechain scaling network Polygon.
Coinbase said that some collections created on its NFT platform are impacted, while smart contract startup Manifold said that its own contracts are unaffected. Base, the Ethereum layer-2 scaling network that Coinbase incubated, also said that some project contracts utilized on Base are affected, but the network itself is secure.
Moca Transparency Tuesday – TL;DR: Mocas are SAFU, Funds are SAFU, Wallets are SAFU
On Dec 2 at 11:17am HKT, we were made aware by @thirdweb, our smart contract development partner for the Mocaverse collections, that there was a need for a security update to the smart contracts…
— Mocaverse💼🪐 (@MocaverseNFT) December 5, 2023
Ethereum profile picture (PFP) project Cool Cats said that while its main NFTs are safe, it will migrate its Avatar System packs to a new contract. Meanwhile, Animoca Brands’ Mocaverse gaming platform said it has migrated its various NFT collections to new contracts, and will let holders claim the new versions.
In addition to covering fees for migrated projects, Thirdweb wrote that it has doubled its bug bounty payments from $25,000 to $50,000, and will utilize “a more rigorous auditing process” going forward.