A vulnerability has been discovered (not disclosed) in a commonly used open-source library for web3 smart contracts which impacts some of Thirdweb’s pre-built smart contracts.
Users who deployed one of these impacted pre-built smart contracts using Thirdweb’s dashboard or SDKs before November 22nd at 7 pm PST need to perform some mitigation steps
You can determine and perform the mitigation steps you need to take using a tool built by ThirdWeb which can be accessed here:
https://mitigate.thirdweb.com/
Please double check the URL before visiting it and connecting your wallet.
According to the ThirdWeb announcement here, no ThirdWeb deployed contracts have been affected.
On November 20th, 2023, at 6 PM PST, ThirdWeb became aware of a security vulnerability in a commonly used open-source library for web3 smart contracts, including some of thirdweb’s pre-built smart contracts.
Which contracts are vulnerable?
The following pre-built smart contracts are impacted by this vulnerability:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) , ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, DropERC721, DropERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
Users who deployed one of the above mentioned impacted pre-built smart contracts using thirdweb’s dashboard or SDKs before November 22nd at 7 pm PST need to perform some mitigation steps.
Please double-check the URL before completing any steps on the mitigation site. Only interact with https://mitigate.thirdweb.com.
In most cases, the mitigation steps will involve locking the contract, taking a snapshot and migrating to a new contract without the known vulnerability. The exact steps you need to take will depend on the nature of your smart contract, and you can determine these using the tool.
A step-by-step guide on mitigation is available here.
Any thirdweb smart contract (as long as it is the latest version) deployed after November 22nd at 7 PM PST is therefore not impacted by this known vulnerability. All other thirdweb services — including our wallets, payments, and infrastructure services — are also unaffected and functioning as usual.
Gas Grants
ThirdWeb will be offering retroactive gas grants to cover fees for contract mitigations. Receiving a gas grant will depend on a number of factors. Please fill in this form to be considered.
What happens when I lock my contract?
Locking the contract will remove all permissions, revoke all admin access, disable the transfer and mint of tokens and no user will be able to interact with this contract in the future. This will make the tokens non-transferrable, and this action is irreversible. This will prevent bad actors from gaining admin access to your contract.
How do my users get their new assets on the new contract without the vulnerability?
You can either have your users claim new tokens using a claim page provided by the mitigation tool, or you can airdrop new tokens to your users. You can select your preferred option using the mitigation tool.
How does the snapshot tool work?
The snapshot tool maps every owner to the exact tokens they have on the contract. Tokens held in staking or liquidity pools are not included because these are staked in an escrow contract (i.e. liquidity or staking pool). After a contract is locked, these users will not be able to withdraw their tokens because any token transfers will be disabled. ThirdWeb suggests you ask your users to withdraw their tokens from any escrow contracts before you lock your contract and take the snapshot.
Can I have access to my snapshot data?
Yes, you can download your snapshot data in CSV format.
Can this vulnerability impact contracts deployed anywhere else?
Because this issue originated with an open-source library, it is possible that there are other smart contracts impacted outside of thirdweb’s ecosystem.
What if I created the contract for a client and am no longer the owner?
If you are no longer the owner you will not be able to perform the mitigation steps. Please contact the contract owner and ask them to perform the steps to lock and recreate the contract.
Is it still possible to deploy an older version of the contract(s) with the vulnerability?
All contract deployments using Thirdweb’s dashboards and SDKs after November 22nd at 7 PM PST will be the new versions without the vulnerability.
For ALL SUPPORT questions related to the vulnerability & mitigation steps, please EMAIL ThirdWeb directly at support@thirdweb.com