Summary

On September 9th, 2023, we received a security report from an independent security researcher about a critical vulnerability in the MarketplaceV3 smart contract.

The vulnerability POC (’proof of concept’) showed that an attacker can steal ERC20 / native currency escrowed in a marketplace by bidding in an auction with a bid higher than the auction’s buyout price.

We identified a total of 6 marketplaces that were compromised — having an active auction — of which 2 had at least 1 transaction in the past 10 days. A total of $0 worth of assets were at risk of being stolen, and no assets were required to be rescued.

No marketplace has suffered this exploit on mainnets. We have privately walked through mitigation steps with all admins of compromised marketplaces before disclosing this vulnerability publicly.

The vulnerability has been patched and only the fixed MarketplaceV3 contract is available to deploy across thirdweb tools, starting Monday, September 11, 2023 06:59 UTC and onward.

Bug

A marketplace contract accumulates ERC20 token and native token balance as and when the marketplace escrows bids made on an active auctions.

An attacker can drain bid funds escrowed in a marketplace by the following:

1. Create an auction with a negligible buyout price.
2. Bid in this auction, specifying the marketplace’s entire balance in the respective auction currency as the bid amount — effectively closing the auction.
3. Collect the auction’s payout — here, the marketplace will transfer over its entire existing balance in the relevant auction currency.

The reported exploit is possible for all versions of MarketplaceV3. The reported exploit is not possible for MarketplaceV2 and prior.

The bug was introduced in the MarketplaceV3 contract in this commit where we perform an incorrect state update in the bidInAuction function.

Mitigation

Using private communication channels (discord, email and slack), we have walked through mitigation steps with all admins of compromised marketplaces.

The mitigation steps included:

1. Revoking the ‘LISTER’ role from all role holders to prevent creating any new listings on the compromised marketplace.
2. Setting marketplace platform fee to 100% to disincentivize any further trading activity on the compromised marketplace, and in the event of a sale, for any sale value to go to the admin of the compromised marketplace as a custodian.
3. Deploying a special, new copy of the MarketplaceV3 contract that includes a migration function for either a listing creator or the admin of the marketplace to migrate over direct listings data from the compromised marketplace.

Timeline

All times are in UTC and in MM/DD/2023 date format.

• 09/09 16:37: received a security report at security@thirdweb.com with a POC test case and explanation showcasing the vulnerability.
• 09/09 17:19: security report acknowledged via security@thirdweb.com confirming the reported exploit as possible for MarketplaceV3. Disabled deployments of buggy MarketplaceV3 contract from all deployment surface areas on thirdweb.com.
• 09/09 18:56: compiled a list of thirdweb users (known to have deployed a MarketplaceV3 contract) and associated communication channels.
• 09/09 20:21: reported exploit confirmed as not possible for MarketplaceV2 and prior.
• 09/09 20:55: the buggy MarketplaceV3 contract is unpublished.
• 09/11 14:24: private communication containing mitigation steps sent to known admins of compromised marketplaces.
• 09/10 18:07: data collected identifying all compromised MarketplaceV3 mainnet deployments [with at least 1 active/ongoing auction and a transaction in the last 10 days].
• 09/10 23:19: acknowledgement of private communication with mitigation steps received from all admins of compromised marketplaces.
• 09/11 06:59: MarketplaceV3 republished with bug fix included; available to deploy across all deployment surface areas on thirdweb.com and the thirdweb SDK.

How it was fixed

Code fix

The fix involves reverting in the EnglishAuctionsLogic.bidInAuction function immediately, if the bid amount is greater than the auction’s buyout price.

The vulnerability has been patched in this commit.

Onchain data and understanding vulnerability impact

Since all relevant marketplace deployments are EIP-1167 minimal clones with the following bytecode structure:

we were able to query onchain for all compromised marketplace deployments by searching for contracts with minimal clone bytecode that includes the compromised MarketplaceV3 contract’s implementation address.

• A total of $0 worth of assets were at risk of being stolen, and no assets were required to be rescued.
• We identified 6 marketplaces at risk i.e. having an active auction.
• 2 of the 6 were active contracts i.e. had at least 1 transaction in the past 10 days.

Once we identified all compromised marketplace contracts, we were able to read their state by calling the getAllValidAuctions function and determine which marketplaces had an active auction and what assets were escrowed in the marketplace.

Notifying affected users

Upon confirmation of the exploit POC, our business and customer support teams collected a list of users/teams known to have a mainnet MarketplaceV3 contract deployment. We privately communicated mitigation steps to these teams (via Discord, Slack and email).

Once we identified all compromised marketplaces via onchain data collection, we were able to identify yet un-contacted deployers and privately communicate mitigation steps to them as well.

Each contacted user/team had their own unique questions, concerns and timeline for performing mitigation. We talked and walked through mitigation with each affected team in the way that fit their needs.

Learnings

The reported critical vulnerability in MarketplaceV3 was introduced in a code change to fix a low-severity vulnerability reported in the contract’s pre-launch audit.

We have performed a thorough post-mortem with our audit partners 0xMacro about how this vulnerability slipped through the checks in our internal development pipeline and external audit process.

We’re actively revising our development process to prioritize security — exploring new Solidity tools to leverage, creating a better tests structure and writing extensive smart contract documentation — all to catch such vulnerabilities ahead of time.

If you would like to work with us in improving the security of our contracts, discuss mitigation strategies or disclose any vulnerabilities, please reach out to us at security@thirdweb.com.

thirdweb: Bug Bounty Program