Multiple NFT collections at risk by flaw in open-source library

A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase.
The disclosure came earlier today from Web3 development platform Thirdweb.
The announcement provides a minimum of details, which irked some users who wanted clarifications that could help them protect contracts.
Thirdweb said that it became aware of the security flaw on November 20 and pushed a remediation two days later, but did not disclose the name of the library and the type or severity of the vulnerability to prevent tipping off attackers.
The company says it has contacted the maintainers of the vulnerable library and also alerted other protocols and organizations of the issue, sharing findings and mitigations.
Thirdweb has shared the details of the exploit with the maintainers of the affected library and said that it has not seen the vulnerability being leveraged in attacks.
The absence of details prompted some users to ask for clarifications or to speculate that the issue is with the Thirdweb implementation of the library.
One user complained about the lack of transparency asking for the CVE identifier of the vulnerability and for an explanation of how the mitigation works.
Thirdweb said that smart contract owners must take mitigation measures immediately for all pre-built contracts created before November 22, 2023, at 7 pm PT. The advice is to lock the vulnerable contracts, take a snapshot, and then migrate it to a new contract created with a non-vulnerable version of the library.
A dedicated tool and tutorial on how to mitigate impacted contracts are provided here.
Thirdweb said that it would offer retroactive gas grants to cover contract mitigations but users have to fill out a form to be approved.
Naturally, the warning has caused holders of valuable NFTs to worry and large NFT trading platforms have already responded to the situation.
In an announcement on Monday, Coinbase NFT said that it learned of the vulnerability last Friday and that it affects some of its collections created with Thirdweb.
The mainatainers of the OpenZeppelin library for smart contract development were also informed of the issue affecting Thirdweb's versions of DropERC20, ERC721, ERC1155, and AirdropERC20 pre-built contract.
On Tuesday, after conducting all mitigation steps where possible, Mocaverse signalled the potential risk to Animoca Brands subsidiary companies, to let them take the necessary measures for the safety of their users' assets.
OpenSea has announced that they were working closely with Thirdweb to mitigate the risks involved and plan to assist impacted users.
New macOS 'KandyKorn' malware targets cryptocurrency engineers.
Hackers breach US govt agencies using Adobe ColdFusion exploit.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
December Android updates fix critical zero-click RCE flaw.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 05 Dec 2023 23:10:14 +0000


Cyber News related to Multiple NFT collections at risk by flaw in open-source library

Porsche Abruptly Halts NFT Launch, Allowing Phishing Sites to Take Advantage - Porsche abruptly cut its minting of a new NFT collection short after a dismal turnout and backlash from the crypto community, allowing threat actors to fill the void by creating phishing sites that steal digital assets from cryptocurrency wallets. ...
1 year ago Bleepingcomputer.com
Multiple NFT collections at risk by flaw in open-source library - A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase. The disclosure came earlier today from Web3 development platform ...
10 months ago Bleepingcomputer.com
NFT Company Obtains Restraining Order to Freeze Hacker's Online Wallet - A British investment company, NFT Investments, announced Tuesday that it had obtained a restraining order against an online wallet holding assets a hacker stole from it earlier this year. NFT Investments, which works with small companies developing ...
1 year ago Therecord.media
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
8 months ago Techtarget.com
Open Source Password Managers: Overview, Pros & Cons - There are many proprietary password managers on the market for those who want an out-of-the box solution, and then there are open source password managers for those wanting a more customizable option. In this article, we explain how open source ...
6 months ago Techrepublic.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
9 months ago Cyberdefensemagazine.com
Are the Fears about the EU Cyber Resilience Act Justified? - "The draft cyber resilience act approved by the Industry, Research and Energy Committee aims to ensure that products with digital features, e.g. phones or toys, are secure to use, resilient against cyber threats and provide enough information about ...
10 months ago Securityboulevard.com
Are the Fears About the EU Cyber Resilience Act Justified? - On Wednesday, July 19, the European Parliament voted in favor of a major new legal framework regarding cybersecurity: the Cyber Resilience Act. The act enters murky waters when it comes to open-source software. It typically accounts for 70% to 90% of ...
9 months ago Feeds.dzone.com
Check Point Research Unfolds: Navigating the Deceptive Waters: Unmasking A Sophisticated Ongoing NFT Airdrop Scam - Sophisticated Scam Targeting Token Holders: Over 100 popular projects' token holders targeted with fake NFT airdrops appearing from reputable sources. Multi-Stage Deception Uncovered: The ongoing Scam involves enticing victims to fraudulent websites ...
8 months ago Blog.checkpoint.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
8 months ago Darkreading.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
8 months ago Helpnetsecurity.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
9 months ago Securityboulevard.com
Launching Your First Open Source Project - I've been deeply immersed in the world of developer products for the past decade, and let me tell you, I've been quite an open-source enthusiast. Over the years, I've had the pleasure of shepherding open-source projects of all shapes and sizes. ...
9 months ago Feeds.dzone.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
6 months ago Cisa.gov
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
4 months ago Cisa.gov
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
8 months ago Cyberdefensemagazine.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
8 months ago Bleepingcomputer.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
8 months ago Bleepingcomputer.com
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
9 months ago Heimdalsecurity.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
8 months ago Securityzap.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
9 months ago Darkreading.com
How Servicenow Detects Open Source Security Vulnerabilities - Servicenow, a digital workflow company, recently announced their integration with Synk, an open source security platform, to detect security vulnerabilities in open source software. This integration will enable Servicenow customers to detect and ...
1 year ago Csoonline.com
Dotnet Source Generators in 2024 Part 1: Getting Started - Security Boulevard - While nice, this incurs an execution of any classes marked as a source generator every time something changes in the project (i.e., delete a line of code, add a line of code, make a new file, etc.). As you can imagine, having something running every ...
1 week ago Securityboulevard.com
CVE Prioritizer: Open-source tool to prioritize vulnerability patching - CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA's KEV catalog to offer insights into the probability of exploitation and the potential effects of ...
7 months ago Helpnetsecurity.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)