Some creators of Ethereum NFT projects are scrambling to secure their collections after Thirdweb, a prominent crypto development platform, disclosed issues with its smart contracts late Monday.
Thirdweb wrote that a security vulnerability in a “commonly used open-source library for Web3 smart contracts” was discovered, and that it affects pre-built contracts offered by Thirdweb among others. Smart contracts hold the code that power autonomous decentralized apps (dapps) and NFT collections.
Due to the apparent seriousness of the vulnerability, Thirdweb is not disclosing which open-source library was the root of the exploit, or details on what the issue entails. OpenZeppelin, a widely used open-source library for smart contracts, has since come out to say that the issue isn’t tied to its repository.
“Based on our investigation, the issue is inherent to a problematic integration of specific patterns, and not particular to the implementations contained in the OpenZeppelin Contracts library,” it tweeted—but added that it would still “lead the effort to assess who in the community is affected and provide them with mitigation strategies.”
Thirdweb said that it does not believe that any smart contracts have yet been exploited, but it recommends that projects undertake a mitigation process that includes locking down their current smart contract and migrating to a new one, then airdropping tokens to current holders. The company said that it would help cover network fees associated with migrating holders from an affected smart contract.
According to Thirdweb, it became aware of the contract vulnerability on November 20 and rolled out a fix to its pre-built smart contract templates on November 22. As a result, any Thirdweb smart contracts deployed after 10 p.m. ET on November 22 are believed to be safe, but those deployed prior to then may be affected.
The exploit is tied to NFT smart contracts that use the Ethereum ERC-721 and ERC-1155 standards, but also fungible tokens minted via the ERC-20 standard. A full list of affected contract types is available via Thirdweb’s blog post, along with a mitigation tool that can identify any impacted contracts.
Many major industry players have come out to weigh in on how the issue may impact their users, NFT holders, and NFT project creators.
Major NFT marketplace OpenSea tweeted that users should “stay tuned for more info on how we can assist affected collection owners with any changes on OpenSea tied to contract migration.” Rarible, another NFT marketplace, said that some NFT drops on its platform are also affected across Ethereum and sidechain scaling network Polygon.
Coinbase said that some collections created on its NFT platform are impacted, while smart contract startup Manifold said that its own contracts are unaffected. Base, the Ethereum layer-2 scaling network that Coinbase incubated, also said that some project contracts utilized on Base are affected, but the network itself is secure.
Ethereum profile picture (PFP) project Cool Cats said that while its main NFTs are safe, it will migrate its Avatar System packs to a new contract. Meanwhile, Animoca Brands’ Mocaverse gaming platform said it has migrated its various NFT collections to new contracts, and will let holders claim the new versions.
In addition to covering fees for migrated projects, Thirdweb wrote that it has doubled its bug bounty payments from $25,000 to $50,000, and will utilize “a more rigorous auditing process” going forward.
Edited by Ryan Ozawa
Editor’s note: This story was updated after publication to clarify language around the nature of the vulnerability.
Stay on top of crypto news, get daily updates in your inbox.