December 5, 2023 at 06:15PM
A widespread vulnerability affecting pre-built smart contracts, including multiple NFT collections and Coinbase, was reported by Thirdweb. The specific library and vulnerability details are undisclosed to prevent exploitation. Affected contracts require immediate mitigation, including locking and migrating to secure versions. Thirdweb offers to cover gas fees, and platforms like Mocaverse and OpenSea respond to protect assets.
Meeting Takeaways:
1. A security vulnerability was identified in a commonly used open-source library affecting smart contracts across the Web3 space, with implications for multiple NFT collections, including some on Coinbase.
2. Thirdweb, the Web3 development platform that made the discovery, announced the flaw on November 20. The platform pushed a remediation on November 22 but has not provided specific details on the library or the nature of the vulnerability to avoid alerting potential attackers.
3. Affected smart contracts include various versions of AirdropERC20, ERC721, ERC1155, MarketplaceV3, and others. A list of impacted contracts with their versions was provided.
4. Thirdweb has informed the maintainers of the vulnerable library and shared mitigation details with other protocols and organizations. They have also stated that they have not seen the vulnerability being exploited.
5. Users and contract owners have complained about the lack of transparency, with some requesting the CVE identifier and a better explanation of the mitigation process.
6. Thirdweb’s guidance for smart contract owners is to lock all pre-built contracts created before November 22, 2023, at 7 pm PT, take a snapshot, and migrate to a new contract. A tool and tutorial for mitigation are available.
7. Thirdweb is offering retroactive gas grants for contract mitigations, but users need to apply for this via a form.
8. Coinbase NFT responded to the issue, clarifying that Coinbase is not affected and funds are safe. They stated the vulnerability impacts some of their collections created with Thirdweb.
9. OpenZeppelin, another library maintainer, was informed. They clarified that the issue appears to be related to an integration problem rather than a flaw in the OpenZeppelin Contracts library itself.
10. Mocaverse updated users about the safety of their assets and mentioned the upgrade of their smart contracts to address the vulnerability. They have communicated potential risks to subsidiary companies of Animoca Brands.
11. Actions taken by Mocaverse for non-upgradable contracts include locking the contracts, snapshotting data, and enabling original holders to claim NFTs based on past holdings through a new Thirdweb smart contract without the vulnerability.
12. OpenSea is working with Thirdweb to mitigate risks and plans to assist affected users.
It is essential for all stakeholders to urgently follow the recommended mitigation steps provided by Thirdweb and remain updated on the situation as it develops.