A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase.
The disclosure came earlier today from Web3 development platform Thirdweb.
The announcement provides a minimum of details, which irked some users who wanted clarifications that could help them protect contracts.
Thirdweb said that it became aware of the security flaw on November 20 and pushed a remediation two days later, but did not disclose the name of the library and the type or severity of the vulnerability to prevent tipping off attackers.
The company says it has contacted the maintainers of the vulnerable library and also alerted other protocols and organizations of the issue, sharing findings and mitigations.
Thirdweb has shared the details of the exploit with the maintainers of the affected library and said that it has not seen the vulnerability being leveraged in attacks.
The absence of details prompted some users to ask for clarifications or to speculate that the issue is with the Thirdweb implementation of the library.
One user complained about the lack of transparency asking for the CVE identifier of the vulnerability and for an explanation of how the mitigation works.
Thirdweb said that smart contract owners must take mitigation measures immediately for all pre-built contracts created before November 22, 2023, at 7 pm PT. The advice is to lock the vulnerable contracts, take a snapshot, and then migrate it to a new contract created with a non-vulnerable version of the library.
A dedicated tool and tutorial on how to mitigate impacted contracts are provided here.
Thirdweb said that it would offer retroactive gas grants to cover contract mitigations but users have to fill out a form to be approved.
Naturally, the warning has caused holders of valuable NFTs to worry and large NFT trading platforms have already responded to the situation.
In an announcement on Monday, Coinbase NFT said that it learned of the vulnerability last Friday and that it affects some of its collections created with Thirdweb.
The mainatainers of the OpenZeppelin library for smart contract development were also informed of the issue affecting Thirdweb's versions of DropERC20, ERC721, ERC1155, and AirdropERC20 pre-built contract.
On Tuesday, after conducting all mitigation steps where possible, Mocaverse signalled the potential risk to Animoca Brands subsidiary companies, to let them take the necessary measures for the safety of their users' assets.
OpenSea has announced that they were working closely with Thirdweb to mitigate the risks involved and plan to assist impacted users.
New macOS 'KandyKorn' malware targets cryptocurrency engineers.
Hackers breach US govt agencies using Adobe ColdFusion exploit.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
December Android updates fix critical zero-click RCE flaw.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 05 Dec 2023 23:10:14 +0000