Thirdweb, the developers of a popular web3 development toolkit, have brought attention to a significant vulnerability in a widely-utilized open-source code library within the web3 ecosystem. Although this vulnerability has not been exploited, thirdweb recommends that owners of smart contracts take necessary mitigation steps, especially for certain pre-built contracts created prior to November 22, 2023, at 7 pm PT.

The vulnerability may have affected some pre-built contracts used to distribute fungible or non-fungible tokens, including ERC20, ERC721, and ERC1155 tokens. Though the nature of the vulnerability has not been disclosed to maintain security, thirdweb has provided a list of affected contracts and detailed instructions and tools for users to mitigate the risk.

Affected contracts are commonly used to create NFT collections, raising concerns across the web3 ecosystem. Notable marketplaces such as OpenSea, Coinbase NFT, and Rarible, which used affected thirdweb contracts in drops, have responded promptly. Marketplaces are reassuring users and implementing measures to address the issue.

OpenSea, in collaboration with thirdweb, is working to support a resolution and ensuring user safety on their platform. OpenSea emphasizes that their own SeaDrop contract is not affected by the vulnerability. OpenZeppelin, a secure blockchain standard whose libraries may have been involved in the vulnerability, stated that their investigation suggests the issue is related to a problematic integration of specific patterns and is not inherent to the implementations contained in the OpenZeppelin Contracts library.

While thirdweb has not disclosed the vulnerability’s nature to prevent security risks, the responsible disclosure process will be followed once affected parties have had time to mitigate the vulnerability. This development underscores the importance of ongoing vigilance and collaboration in the web3 space to address potential vulnerabilities and safeguard users.