Major Ethereum NFT marketplaces and project developers are now implementing various measures to help resolve a serious smart contract issue.
Some developers of Ethereum NFT projects are now rushing to secure their collections after Thirdweb, a prominent crypto development platform, announced that it has had issues with its smart contracts since December 4.
Thirdweb wrote that there was a security vulnerability in a “commonly used open-source library for Web3 smart contracts,” and that it impacted the pre-built contracts provided by Thirdweb among others. Smart contracts host the code that powers NFT collections and autonomous decentralized apps (dapps).
Amid the severity of the vulnerability, Thirdweb refrains from disclosing the exploited open-source library or specific details, while OpenZeppelin clarifies the issue is unrelated to its widely used smart contract repository.
OpenZeppelin tweeted:
“Based on our investigation, the issue is inherent to a problematic integration of specific patterns, and not particular to the implementations contained in the OpenZeppelin Contracts library. We will still lead the effort to assess who in the community is affected and provide them with mitigation strategies.”
IMPORTANT
On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.
This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…
— thirdweb (@thirdweb) December 5, 2023
Thirdweb insisted it does not believe that any smart contracts are already exploited, but recommends that projects undertake a mitigation process that features locking down their current smart contract and shifting to a new one, then airdropping tokens to the current holders. The firm stated that it would help cover network fees connected to migrating holders from an affected smart contract.
Based on the statement by Thirdweb, it became aware of the contract vulnerability on November 20 and rolled out a fix to its pre-built smart contract templates on November 22. As a result, any Thirdweb smart contracts deployed after 10 p.m. ET on November 22 are thought to be safe, but those deployed before then might be affected.
The exploit is linked to NFT smart contracts that utilize the Ethereum ERC-721 and ERC-1155 standards, and fungible tokens minted through the ERC-20 standard. A full list of the affected contract types is published on Thirdweb’s blog post, along with a mitigation tool that can help identify the impacted contracts.
Most major industry operators have come out to weigh in on how this issue might affect their users, NFT holders, and NFT project developers.
We are in touch with @thirdweb about the security vulnerability impacting some NFT collections. Stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration. Please read @thirdweb’s post below for more detail. https://t.co/HU6bmXWU7U
— OpenSea (@opensea) December 5, 2023
Major NFT marketplace OpenSea tweeted that the users need to “stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration.”
Another notable NFT marketplace, Rarible, said that some NFT drops on its platform are also impacted across Ethereum and sidechain scaling network Polygon.
Coinbase stated that some collections developed on its NFT platform are impacted, while smart contract startup Manifold said its contracts are unaffected. The Ethereum layer-2 scaling network incubated by Coinbase, Base, also stated that some of the project contracts used on Base are impacted, but the network is secure.
Moca Transparency Tuesday – TL;DR: Mocas are SAFU, Funds are SAFU, Wallets are SAFU
On Dec 2 at 11:17am HKT, we were made aware by @thirdweb, our smart contract development partner for the Mocaverse collections, that there was a need for a security update to the smart contracts…
— Mocaverse💼🪐 (@MocaverseNFT) December 5, 2023
Cool Cats, the Ethereum profile picture (PFP) project, stated that while its main NFTs are safe, it will shift its Avatar System packs to a new contract. In the meantime, Animoca Brands’ Mocaverse gaming platform said it has shifted its different NFT collections to new contracts and will allow holders to claim the new versions.
Besides covering fees for migrated projects, Thirdweb wrote that it has doubled its bug bounty payments from $25,000 to $50,000, and will use “a more rigorous auditing process” moving forward.