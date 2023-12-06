A vulnerability in an open-source library that is common in the Web3 sector affects the security of pre-built smart contracts, affecting several NFT collections, including Coinbase.

This was revealed today by Web3 development platform ThirdWeb. The announcement provided minimal details, frustrating some users who wanted clarification that could help them protect contracts.

ThirdWeb said it became aware of the security flaw on November 20 and attempted to fix it two days later, but did not disclose the name of the library or the type or severity of the vulnerability to prevent the attackers from being caught.

The company says it has done so contacted parents Also alerted other protocols and organizations to the issue by sharing findings and mitigations regarding vulnerable libraries.

The following smart contracts are affected by this flaw:

AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) ERC20 Claimable, ERC721 Claimable, ERC1155 Claimable

BurnToClaimDropERC721 (all versions)

DropERC20, ERC721, ERC1155 (all versions)

loyalty card

MarketplaceV3 (All Versions)

multiwrap, multiwrap_OSRoyaltyFilter

OpenEditionERC721 (v1.0.0 and later)

Pack and Pack_OSRoyaltyFilter

Teardrop (All Versions)

TokenERC20, ECRC721, ERC1155 (all versions)

signaturedrop, signaturedrop_osroyaltyfilter

Partition (low impact)

Tokenstake, NFTstake, Editionstake (all versions)

ThirdWeb explains, “If you used our Solidity SDK to extend our base contract or create a custom contract, we do not believe the vulnerability extends to your contract.” This is not a guarantee as they are “unable to audit individual contracts.” ,

ThirdWeb has shared details of the exploit with maintainers of the affected libraries and said it has not seen anyone taking advantage of the vulnerability in the attacks.

Users upset due to lack of transparency

The absence of details led some users to ask for clarification or speculate that the problem lay with the thirdweb implementation of the library.

One user complained about the lack of transparency and asked for clarification on how the CVE (Common Vulnerabilities and Exposures) identifier and mitigation of vulnerabilities works.



lock out unsafe contracts

Thirdweb said smart contract owners should immediately take mitigation measures for all pre-generated contracts created before 7pm PT on November 22, 2023.

The advice is to lock the vulnerable contracts, take a snapshot and then migrate it to a new contract created with a non-vulnerable version of the library. A dedicated tool and tutorial on how to mitigate affected contracts is provided here.

ThirdWeb said it would offer retroactive gas grants to cover contract mitigation but users would have to fill out a form to be approved.

Naturally, the warning has alarmed holders of valuable NFTs and major NFT trading platforms have already responded to the situation.

In an announcement on Monday, Coinbase NFT said He became aware of this vulnerability last Friday and it affects some of his collections created with ThirdWeb.

“Coinbase itself is unaffected by this issue and all funds on Coinbase are secure,” the crypto exchange platform said.

Key managers of the OpenZeppelin library for smart contract development were also informed about the issue affecting the third web versions of the DropERC20, ERC721, ERC1155 (all versions) and AirDropERC20 pre-built contracts.

“Based on our investigation, the issue lies in the problematic integration of specific patterns, and is not specific to the implementation included in the OpenZeppelin contract library” – openzeppelin

Mokaverse, the subscription NFT collection for the Animoca Brands ecosystem, also updated its users that their assets are safe and that it has “successfully upgraded the Mokaverse NFT, Lucky Neko, and Mokaverse Relic Collection smart contracts to close a relevant security vulnerability “.

On Tuesday, after taking all mitigation steps where possible, Mokaverse informed Animoca Brands’ subsidiaries about the potential risk so that they can take the necessary measures to protect the assets of their users.

“For contracts that are not upgradeable, including Realm Tickets and Honorary Collections, we locked the corresponding contracts and took a snapshot of all data, and later released them to the original holders through a thirdweb-based NFTs will be allowed to be claimed on Aadhaar.” Previous holdings on a new smart contract without known vulnerabilities” – Mochaverse

Similarly, OpenSea has announced They are working closely with ThirdWeb to mitigate the risks involved and create a plan to assist affected users.

