San Francisco, CA, December 18, 2023 – Blockchain development platform Thirdweb recently announced in its blog post that it had disclosed and patched a critical security vulnerability affecting its own pre-built smart contracts and potentially impacting others across the web3 industry. 1
It said that the vulnerability, discovered in November, was addressed quickly with a user-assisted migration tool, successfully mitigating risks for over 9,800 contracts on 37 blockchains.
“Since making this initial announcement, we’ve felt it important to prioritize user safety and mitigation alongside responsible disclosure. With significant progress made and industry discussions underway, we feel now is the time to share details of the vulnerability,” the blog post said.
It said that the vulnerability stemmed from the specific combination of two widely used open-source standards: ERC2271 for gas fee sponsorship and Multicall for batching transactions.
In certain scenarios, malicious actors could exploit a weakness in how these standards interact, potentially spoofing addresses and gaining unauthorized control of assets within vulnerable smart contracts.
This could allow attackers to perform privileged actions, like stealing funds or manipulating contract logic, security experts said.
Upon discovery by external auditors in November, Thirdweb swiftly formed a mitigation tool and claimed that they had achieved a high success rate, securing over 9,800 contracts across 37 blockchains within a short timeframe.
- Thirdweb: https://blog.thirdweb.com/vulnerability-report/#:~:text=We%20recently%20notified%20our%20community,our%20pre%2Dbuilt%20smart%20contracts.[↩]
