Thirdweb, a Web3 developer platform, has discovered critical security vulnerabilities in widely-used open source libraries within the Web3 industry.
Discovered on November 21, these vulnerabilities pose a risk to numerous smart contracts in the Web3 ecosystem, including some of Thirdweb’s own pre-built smart contracts.
As of now, there’s no evidence of these vulnerabilities being exploited in ThirdWeb smart contracts.
Owners of affected pre-built contracts that were built before November 23, such as DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20, must take mitigation measures.
For contract builders who deployed pre-built smart contracts using Thirdweb’s dashboard or SDK before that time, specific actions are required to mitigate potential exploitation.
Typically, mitigation involves locking the contract, taking snapshots, and migrating to a new contract devoid of known vulnerabilities.
Withdrawing tokens locked in any liquidity or staking pools is imperative before initiating these mitigation steps.
Failure to do so may hinder the distribution of new tokens to users. Furthermore, contract builders are advised to request users to revoke approval for all ThirdWeb contracts using revoke.cash.
All other ThirdWeb services, encompassing wallet, payment, and infrastructure services, remain unaffected, operating seamlessly as usual.
On December 4, Mocaverse, when faced with this particular problem, took a precautionary approach.
The Animoca-linked company took snapshots, and used pre-built smart contracts for their collections on Polygon to protect the collections involved.