Multiple NFT collections at risk by flaw in open-source library

A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase.

The disclosure came earlier today from Web3 development platform Thirdweb. The announcement provides a minimum of details, which irked some users who wanted clarifications that could help them protect contracts.

Thirdweb said that it became aware of the security flaw on November 20 and pushed a remediation two days later, but did not disclose the name of the library and the type or severity of the vulnerability to prevent tipping off attackers.

The company says it has contacted the maintainers of the vulnerable library and also alerted other protocols and organizations of the issue, sharing findings and mitigations.

The following smart contracts are impacted by the flaw:

  • AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) ERC20Claimable, ERC721Claimable, ERC1155Claimable
  • BurnToClaimDropERC721 (all versions)
  • DropERC20, ERC721, ERC1155 (all versions)
  • LoyaltyCard
  • MarketplaceV3 (All versions)
  • Multiwrap, Multiwrap_OSRoyaltyFilter
  • OpenEditionERC721 (v1.0.0 and later)
  • Pack and Pack_OSRoyaltyFilter
  • TieredDrop (all versions)
  • TokenERC20, ECRC721, ERC1155 (all versions)
  • SignatureDrop, SignatureDrop_OSRoyaltyFilter
  • Split (low impact)
  • TokenStake, NFTStake, EditionStake (All versions)

"If you used our Solidity SDK to extend our base contract or built a custom contract, we don't believe the vulnerability extends to your contract," explains Thirdweb, adding that this is not a guarantee because they "are unable to audit individual contracts."

Thirdweb has shared the details of the exploit with the maintainers of the affected library and said that it has not seen the vulnerability being leveraged in attacks.

Users upset by lack of transparency

The absence of details prompted some users to ask for clarifications or to speculate that the issue is with the Thirdweb implementation of the library.

One user complained about the lack of transparency asking for the CVE (Common Vulnerabilities and Exposures) identifier of the vulnerability and for an explanation of how the mitigation works.

User complaining about Thirdweb's lack of transparency
User complains about the lack of details in Thirdweb's vulnerability disclosure
source: nuri

Lock vulnerable contracts

Thirdweb said that smart contract owners must take mitigation measures immediately for all pre-built contracts created before November 22, 2023, at 7 pm PT.

The advice is to lock the vulnerable contracts, take a snapshot, and then migrate it to a new contract created with a non-vulnerable version of the library. A dedicated tool and tutorial on how to mitigate impacted contracts are provided here.

Thirdweb said that it would offer retroactive gas grants to cover contract mitigations but users have to fill out a form to be approved.

Naturally, the warning has caused holders of valuable NFTs to worry and large NFT trading platforms have already responded to the situation.

In an announcement on Monday, Coinbase NFT said that it learned of the vulnerability last Friday and that it affects some of its collections created with Thirdweb.

"Coinbase itself is unaffected by this issue and all funds on Coinbase are safe," adds the crypto exchange platform.

The mainatainers of the OpenZeppelin library for smart contract development were also informed of the issue affecting Thirdweb's versions of DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20 pre-built contract.

"Based on our investigation, the issue is inherent to a problematic integration of specific patterns, and NOT particular to the implementations contained in the OpenZeppelin Contracts library" - OpenZeppelin

Mocaverse, the membership NFT collection for the Animoca Brands ecosystem, also updated its users that their assets are safe and that it "successfully upgraded the Mocaverse NFT, Lucky Neko, and Mocaverse Relic collection smart contracts to close the relevant security vulnerability."

On Tuesday, after conducting all mitigation steps where possible, Mocaverse signalled the potential risk to Animoca Brands subsidiary companies, to let them take the necessary measures for the safety of their users' assets.

"For the contracts that are not upgradable, including the Realm Ticket and Honorary Collection, we have locked the relevant contracts and taken a snapshot of all the data, and will subsequently allow the original holders to claim the NFTs based on previous holding via Thirdweb based on a new smart contract without the known vulnerability" - Mocaverse

Similarly, OpenSea has announced that they were working closely with Thirdweb to mitigate the risks involved and plan to assist impacted users.

Related Articles:

Critical Rust flaw enables Windows command injection attacks

Hackers deploy crypto drainers on thousands of WordPress sites

Here's why Twitter sends you to a different site than what you clicked

Hackers target FCC, crypto firms in advanced Okta phishing attacks

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS