Security Vulnerability

Contract Mitigation Tutorial

Eiman Abdelmoneim

3 min read

Overview

Using the thirdweb mitigation tool, you’ll be able to mitigate the vulnerability that we’ve discovered in the recent security incident (”this vulnerability”) in the contracts you’ve deployed.

Using the tool at mitigate.thirdweb.com, you’ll be able to identify which of your contracts have this vulnerability, and receive mitigation steps. We recommend you take mitigation steps immediately. By taking these steps, you will be incurring the gas costs associated with the mitigation. In certain cases, your token holders may incur gas costs as well.

In general there are three types of mitigation pathways:

  1. Upgrade path: You will patch your existing contract for this vulnerability.
  2. Lock & recreate path: You will first lock your existing contract from actions. Then, depending on the contract type, you may need to take extra steps like snapshotting the contract, and distributing new tokens to your existing token holders.
  3. Unapprove: For certain contracts, the mitigation path will be removing token approval from the contract.

Getting Started

🎬 Video Walkthrough

⚠️
Only the contract owner will be able to see the contracts listed in the mitigation tool.
  1. Visit the mitigation site
  2. Connect your wallet

Upgrade Path

Impacted Contract list

Depending on the version of your contract, you may not be impacted. You can rely on the mitigation tool to guide you.

  • TieredDrop
  • BurnToClaimDropERC721
  • Marketplace V3

Sample Process

🎬 Video Walkthrough

The following is the mitigation process for a single contract type, Marketplace V3, from this category. Individual steps will vary between contracts, but you can rely on the mitigation tool to guide you.

To mitigate the vulnerability, you will:

  1. Upgrade this contract to patch this vulnerability.

Lock & Create Path

Impacted Contract list

Depending on the version of your contract, you may not be impacted. You can rely on the mitigation tool to guide you.

  • TokenERC20
  • TokenERC721
  • TokenERC1155
  • DropERC20
  • DropERC721
  • DropERC1155
  • AirdropERC20
  • AirdropERC721
  • OpenEdition
  • LoyaltyCard
  • SignatureDrop
  • Pack
  • Multiwrap
  • Marketplace (royalty engine)
  • Marketplace (no royalty engine)
  • Split (no funds at risk)
  • TokenStake
  • NFTStake
  • EditionStake

Sample Process

🎬 Video Walkthrough

The following is the mitigation process for a single contract type, DropERC721, from this category. Individual steps will vary between contracts, but you can rely on the mitigation tool to guide you.

To mitigate the vulnerability, you will:

1. Lock Contract

    1. Metadata will be frozen.
    2. [Locked] will be appended to the collection name.
    3. All permissions will be revoked, including admin ones.
⚠️
Locking your contract cannot be undone If your users have tokens staked in an escrow contract (i.e. liquidity or staking pool), by locking this contract, these users will not be able to withdraw their tokens because any token transfers will be disabled. We suggest you ask your users to withdraw their tokens from any escrow contracts before you lock this contract.
⚠️
Prioritize locking your contract

Once your contract is locked, the vulnerability is mitigated. You may choose to Lock all of your vulnerable contracts first before completing all the mitigation steps for each contract.

After you begin to lock the contract, if you do not see "lock complete" after waiting, please do not refresh the page. Instead email support@thirdweb.com with the url of the mitigation page.

2. Snapshot Contract Data

    1. This step will snapshot the metadata (name, symbol, description) and state (default primary sale recipient, default platform fee information, royalty information, token ID, token holders, balances, max total supply) of your existing contract so that it can be used to migrate to the new contract.
    2. Any unclaimed lazy-minted tokens will not be snapshotted and migrated.
    3. Note — You have the option to upload your own snapshot to be configured in the new contract deployment.

3. Deploy New Contract

This step will deploy a new DropERC721M contract without this vulnerability. After deployment, you will need to re-configure the claim conditions.

4. Distribute new tokens via airdrop or claim:

Option 1 [Claim]: Your existing token holders can use this link to claim their tokens from this contract. They will be responsible for the gas.

Option 2 [Airdrop]: Use this to airdrop the recovered tokens for your token holders. You will cover gas for your holders.

We will be offering a retroactive gas grant to cover fees for contract mitigations. Receiving a gas grant will depend on a number of factors. Please fill in this form to be considered.

Unapprove Path

Impacted Contract list

Depending on the version of your contract, you may not be impacted. You can rely on the mitigation tool to guide you.

  • AirdropERC20Claimable
  • AirdropERC721Claimable
  • AirdropERC1155Claimable

Sample Process

🎬 Video Walkthrough

The following is the mitigation process for a single contract type, AirdropERC20Claimable, from this category. Individual steps will vary between contracts, but you can rely on the mitigation tool to guide you.

To mitigate the vulnerability:

  1. The token owner will need to remove their token approval from this airdrop contract.
    1. If (admin is not token owner): You will need to ask the token owner to go to revoke.cash and remove their approval from this contract.
    2. If (admin is token owner): You will remove your approval from this contract.
  2. If you would like to deploy a new AirdropERC20Claimable contract, you can do so in the dashboard.

Build web3 apps easily

Deploy smart contracts and build dApps on 700+ blockchains, in minutes.

Start building Contact us