Alexander Savenkov Thirdweb, a provider of Web3 development frameworks, has recently initiated the process of addressing a critical vulnerability that has the potential to impact a substantial number of smart contracts across various networks. This vulnerability, which was uncovered in November, affects a range of pre-built smart contracts offered by Thirdweb for the rapid deployment of applications, leveraging an undisclosed open-source library.
In response to this security concern, Thirdweb has taken significant steps to mitigate the risk across numerous Ethereum Virtual Machine (EVM) networks. Over the past 48 hours, more than 8,000 contracts have undergone mitigation measures to contain the potential fallout from this vulnerability. Furthermore, the organization is actively working to expand these efforts.
While Thirdweb has acknowledged that the vulnerability is linked to an open-source Web3 library widely used within the industry, they have not divulged specific details about its nature or the exact steps being taken for mitigation. It should be noted that the vulnerability impacts several of Thirdweb’s pre-built smart contracts intended for deploying applications on EVM chains.
As of the time of this writing, Thirdweb has confirmed that only two smart contracts have been exploited, although further specifics have not been provided.
The journey to address this vulnerability began on November 20 when Thirdweb initiated work on developing a mitigation tool. The situation was made public on December 4, with Thirdweb actively collaborating with affected partners, such as the NFT marketplace Opensea, to provide early warnings.
Additionally, Thirdweb has reached out to the maintainers of the undisclosed Web3 open-source library and relevant third parties to inform them about the issue. They have also shared their findings and the measures being taken to mitigate the vulnerability.
In light of these developments, Thirdweb has demonstrated its commitment to enhancing security. They plan to double the payments for their existing bug bounty program, increasing it from $25,000 to $50,000. Moreover, they will implement more rigorous auditing processes to bolster their security measures.
The backdrop to this situation is the alarming increase in hacks and exploits during the year 2023. According to blockchain security firm Certik, more than $1 billion had been stolen from smart contracts by the beginning of September. Notably, the cost of such attacks escalated in September, with losses totaling $332 million due to hacks, scams, and exploits in that month.
Given the seriousness of the situation, it is crucial for stakeholders and the wider community to closely monitor Thirdweb’s ongoing efforts and their impact on the security landscape. Your thoughts on Thirdweb’s vulnerability disclosure and mitigation actions are welcome and can be shared in the comments section below.
Table Of Contents
Frequently Asked Questions (FAQs) about Smart Contract Vulnerability Mitigation
Q: What is the vulnerability that Thirdweb is addressing?
A: Thirdweb is addressing a critical vulnerability that was discovered in November. This vulnerability affects various pre-built smart contracts provided by Thirdweb for deploying applications. The specific nature of this vulnerability has not been disclosed.
Q: How many contracts have been mitigated by Thirdweb so far?
A: In the last 48 hours, Thirdweb has mitigated more than 8,000 contracts to contain the impact of the vulnerability. They are actively working to extend these mitigation efforts.
Q: Has this vulnerability been exploited?
A: Thirdweb has confirmed that as of now, only two smart contracts have been exploited due to this vulnerability. However, additional details about these exploits have not been provided.
Q: When did Thirdweb start working on mitigating this vulnerability?
A: Thirdweb began working on developing a mitigation tool for this vulnerability on November 20. The situation was made publicly known on December 4.
Q: What steps is Thirdweb taking to enhance security?
A: Thirdweb is doubling its payments for its bug bounty program, increasing it from $25,000 to $50,000. They are also implementing more rigorous auditing processes to strengthen their security measures.
Q: What is the broader context regarding smart contract security in 2023?
A: In 2023, there has been a significant increase in hacks and exploits in the blockchain space. According to Certik, a blockchain security company, more than $1 billion had been stolen from smart contracts by the beginning of September. The cost of attacks escalated, with $332 million lost to hacks, scams, and exploits in September.
More about Smart Contract Vulnerability Mitigation
- Thirdweb Official Website
- Certik Blockchain Security
- Ethereum Virtual Machine (EVM)
- Bug Bounty Programs
- NFT Marketplace Opensea
- Web3 Development
- Blockchain Technology
- Smart Contracts
- Open-source Software
3 comments
Thirdweb takin swift action on vulnerability. 8000 contracts mitigated. 2 exploited. Serious situation in 2023!
Thirdweb not sharin specifics? Not good for transparency. But quick action, important.
Thirdweb doubling bug bounty. Good move! 1 billion stolen. Need better security.