Smart contract security vulnerability 12/4
TLDR
- On November 20th, 2023 we became aware of a security vulnerability in a problematic integration of specific patterns of a commonly used open-source library for web3 smart contracts which impacts some of thirdweb’s pre-built smart contracts.
- Users who deployed one of these impacted pre-built smart contracts using thirdweb’s dashboard or SDKs before November 22nd at 7pm PST need to perform some mitigation steps.
- You can easily determine and perform the mitigation steps you need to take using a tool we have built, which can be accessed here: https://mitigate.thirdweb.com/
UPDATE 12/6 8.40pm PT
Dear community, over the last 48 hours, we have seen significant progress made in mitigating this vulnerability.
Our tool has helped successfully mitigate over 8,000 smart contracts across 43 chains, and our teams are working nonstop to support smart contract owners through the process.
We are aware of two cases of unmitigated smart contracts being exploited using this vulnerability. If you are a smart contract owner who has not yet used our mitigation tool, it is still critical you do so using this link: https://mitigate.thirdweb.com/
We are not yet disclosing more detail on this vulnerability to allow smart contract owners time to take appropriate action, though we are committed to providing a detailed analysis at the appropriate time.
We also want to provide some insight into our process since becoming aware of the vulnerability.
On November 20th, we immediately activated our engineering team at full capacity to develop the mitigation tool. We felt it was critical to have a robust mitigation plan in place before making a public announcement.
On November 22nd, we pushed a remediation for all forward-looking thirdweb smart contract deployments. We also began monitoring the prevalence of this vulnerability across the web3 ecosystem and detected a number of apps and protocols outside thirdweb that may have been impacted.
Between December 1st and 3rd, we contacted eight ecosystem partners and other platforms impacted by this vulnerability to work with them to protect their users.
On December 4th, we made the public announcement once we had determined a mitigation path for users with the goal of notifying as many of our users as possible, many of whom had interacted with our tools permissionlessly and without entering contact information.
During this time we collaborated with a number of industry leaders to enhance the safety of the mitigation process, including OpenSea who implemented measures to protect smart contract owners’ assets whilst the mitigation took place.
Our team is continuing to work around the clock, alongside our security partners, to accelerate the mitigation of this vulnerability for as many smart contract owners as possible.
We appreciate your ongoing support and are immensely proud of how our community reacted to swiftly mitigate their contracts.
Please reach out to support@thirdweb.com if you have further questions or need support with the mitigation process.
Original Post 12/4 5pm PT
At thirdweb, our mission is to provide complete developer tools for web3, and security is at the forefront of everything we do. Since our founding, we have invested significant resources in employing robust security measures when building our tools and providing ongoing developer support. These measures include conducting regular smart contract audits for every contract on our platform, paying out bug bounties, and open-sourcing all of our tools to enhance the security of our customers and developers.
As part of our process, on November 20th, 2023, at 6 PM PST, we became aware of a security vulnerability in a problematic integration of specific patterns of a commonly used open-source library for web3 smart contracts which impacts some of thirdweb’s pre-built smart contracts.
The following pre-built smart contracts are impacted by this vulnerability:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) , ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, DropERC721, DropERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
Based on our investigation alongside our audit partners, this vulnerability has not been exploited in any thirdweb smart contracts.
Our immediate priority is to protect our customers impacted by this vulnerability. Users who deployed one of these impacted pre-built smart contracts using thirdweb’s dashboard or SDKs before November 22nd at 7pm PST need to perform some mitigation steps.
We and our security partners have been working at full capacity since being made aware of the vulnerability to build a tool to easily determine and perform the mitigation steps you need to take, which can be accessed here: https://mitigate.thirdweb.com/
In most cases, the mitigation steps will involve locking the contract, taking a snapshot and migrating to a new contract without the known vulnerability. The exact steps you need to take will depend on the nature of your smart contract, and you can determine these using the tool.
You can also find a step-by-step guide on how to use the mitigation tool here.
Please note: If your holders have tokens locked in any liquidity or staking pool, they should pull these tokens out before you begin these steps. Otherwise, they will lose their assets. Additionally, you should request that your users revoke approvals on all thirdweb contracts using revoke.cash, which will protect your users if you choose not to mitigate the contract.
Future smart contract deployments
Once we became aware of the vulnerability, we activated our security team and worked closely with our audit partners to investigate the issue. We successfully pushed a remediation for all of thirdweb’s impacted pre-built contracts created after November 22nd 7pm PST.
Any thirdweb smart contract (as long as it is the latest version) deployed after November 22nd at 7 PM PST is therefore not impacted by this known vulnerability. All other thirdweb services — including our wallets, payments, and infrastructure services — are also unaffected and functioning as usual.
If you used our Solidity SDK to extend our base contract or built a custom contract we don't believe the vulnerability extends to your contract. However, we can't guarantee this because we are unable to audit individual contracts.
We have also contacted the maintainers of the open-source library at the root of the vulnerability (which we are not specifying to mitigate the chance of exploitation) and contacted other protocols and organizations we believe may be impacted by the same issue to share our findings and mitigation measures. Security researchers and other organizations interested in learning more can contact our team at support@thirdweb.com.
Looking forward
Moving forward, we are increasing our investment in security measures. This includes doubling our bug bounty payouts from $25k to $50k per bounty, and implementing a more rigorous auditing process, with the goal of creating a robust environment for web3 developers.
We understand that this will cause disruption, and we are treating the mitigation of the issue with the utmost seriousness. We will be offering retroactive gas grants to cover fees for contract mitigations. Receiving a gas grant will depend on a number of factors. Please fill in this form to be considered.
For ALL SUPPORT questions related to the vulnerability & mitigation steps, please EMAIL us directly at support@thirdweb.com to protect yourself and other users in the community from sharing vulnerable contracts.
FAQs
Is my contract vulnerable?
Please use the mitigation tool to find out if your contract contains this vulnerability.
Which contracts were affected by the vulnerability?
The following pre-built smart contracts are impacted by this vulnerability:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) , ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, ERC721, ERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
Any thirdweb smart contract (as long as it is the latest version) deployed after November 22nd at 7 PM PST is therefore not impacted by this known vulnerability. All other thirdweb services, including our wallets, payments, and infrastructure services, are also unaffected and functioning as usual.
If you used our Solidity SDK to extend our base contract or built a custom contract we don't believe the vulnerability extends to your contract. However, we can't guarantee this because we are unable to audit individual contracts.
Was my contract exploited?
Based on our investigation so far, we are not aware of any instances where this vulnerability has been exploited in a thirdweb smart contract. This is different from asking whether your contract is vulnerable to being exploited. Use our tool to find out whether your contract is vulnerable to being exploited.
When and how should I mitigate my contract?
Please follow this link here for instructions on how to safely perform mitigation steps for your contract. We recommend you take action immediately.
What happens when I lock my contract?
Locking the contract will remove all permissions, revoke all admin access, disable the transfer and mint of tokens and no user will be able to interact with this contract in the future. This will make the tokens non-transferrable, and this action is irreversible. This will prevent bad actors from gaining admin access to your contract.
How do my users get their new assets on the new contract without the vulnerability?
You can either have your users claim new tokens using a claim page provided by the mitigation tool, or you can airdrop new tokens to your users. You can select your preferred option using the mitigation tool.
How does the snapshot tool work?
The snapshot tool maps every owner to the exact tokens they have on the contract. Tokens held in staking or liquidity pools are not included because these are staked in an escrow contract (i.e. liquidity or staking pool). After a contract is locked, these users will not be able to withdraw their tokens because any token transfers will be disabled. We suggest you ask your users to withdraw their tokens from any escrow contracts before you lock your contract and take the snapshot.
Can I have access to my snapshot data?
Yes, you can download your snapshot data in CSV format.
Who should I contact if I have questions about this vulnerability?
Please reach out to support@thirdweb.com.
Are there any other thirdweb products that are affected?
Any thirdweb smart contract (as long as it is the latest version) deployed after November 22nd at 7 PM PST is therefore not impacted by this known vulnerability.
All other thirdweb services, including our wallets, payments, and infrastructure services, are also unaffected and functioning as usual.
Can you share more details on thirdweb’s smart contract auditing and bug bounty programs?
thirdweb has partnered with with 0xMacro since April of 2022 to audit all pre-built smart contracts on the dashboard. You can find details of these audit reports here. thirdweb also has a public bug bounty program which has paid out more than ~$50k in bug bounties over the last year.
Can you share more details on the vulnerability?
We aren’t currently sharing technical details to protect our users impacted by this vulnerability.
Can this vulnerability impact contracts deployed anywhere else?
Because this issue originated with an open-source library, it is possible that there are other smart contracts impacted outside of thirdweb’s ecosystem.
Will I be refunded for the transaction fees associated with the mitigation steps?
We will be offering retroactive gas grants to cover fees for contract mitigations. Receiving a gas grant will depend on a number of factors. Please fill in this form to be considered.
What are the risks if we choose not to follow the thirdweb recommended mitigation steps?
Your contract could be exploited by an unauthorized actor should you choose not to use the recommended thirdweb mitigation tool.
What if I created the contract for a client and am no longer the owner?
If you are no longer the owner you will not be able to perform the mitigation steps. Please contact the contract owner and ask them to perform the steps to lock and recreate the contract.
I lost access to my admin wallet. How can I mitigate?
You are unable to lock or recreate the contract if you do not have access to the admin wallet.
Is it still possible to deploy an older version of the contract(s) with the vulnerability?
All contract deployments using thirdweb’s dashboards and SDKs after November 22nd at 7 PM PST will be the new versions without the vulnerability.
Can we airdrop tokens to our holders instead of making them claim?
Yes, the mitigation tool includes options to airdrop tokens to your holder or create a claimable tokens page. Gas is paid by the contract owner to airdrop tokens, while gas is paid by the token holder to claim tokens.