So, here’s the deal: there’s been a bit of a kerfuffle in the Web3 space. Turns out, an open-source library that tons of people use has a teeny-tiny vulnerability.
No biggie, right? Well, not quite. This little hitch is putting the security of pre-built smart contracts, including some fancy NFT collections like Coinbase, at risk. Yikes! But before you panic, let’s dive into the details.
The Great Reveal…or Not
So, the clever folks at Thirdweb stumbled upon this security flaw on November 20. They sprang into action and fixed it two days later. Good on them! But here’s the twist: they’re keeping the name of the library and the nitty-gritty details under wraps.
Why? Well, they don’t want the bad guys catching wind of it and causing more trouble. Sneaky, huh? But don’t worry, they’ve reached out to the library maintainers and spread the word to other protocols and organizations so they can find a way to deal with it.
NFT Contracts Caught in the Crossfire
Okay, so which smart contracts are caught up in this mess? Brace yourself, because it’s a doozy:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later), ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, ERC721, ERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
Thirdweb claims that if you’ve used their Solidity SDK or built a custom contract, you might be in the clear. But hey, they can’t guarantee it because they can’t check every single contract out there. Fair enough, right?
Users Cry, “Spill the Beans!”
Now, here’s where things get a bit sticky. People are a tad miffed about the lack of info. They want transparency. Some users are demanding the CVE (Common Vulnerabilities and Exposures) identifier and a detailed explanation of how to fix this mess. Can’t blame them for wanting the lowdown, right?
Protecting Your Precious Contracts
They’re urging smart contract owners to take action ASAP for any pre-built contracts created before November 22, 2023, at 7 pm PT. So, what should you do? Lock those vulnerable contracts, take a snapshot, and migrate everything to a new contract that uses a version of the library that’s not so vulnerable.
Oh, and guess what? Thirdweb is offering retroactive gas grants to cover the cost of fixing your contracts. Just fill out a form and cross your fingers for approval. Naturally, all this talk about vulnerabilities has got NFT holders sweating buckets. Don’t worry, though. The bigwigs at major NFT trading platforms are on the case.
Coinbase NFT and Pals to the Rescue
But hey, don’t panic! Your precious funds stored on Coinbase are safe and sound. Phew! The brainiacs behind the OpenZeppelin library for smart contract development also got wind of the issue. They know that Thirdweb’s versions of DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20 pre-built contracts are affected. Busy bees, those developers!
Not to be outdone, the folks at caverse, the membership NFT collection for the Animoca Brands ecosystem, have your back too. To fix the vulnerability, they upgraded the Mocaverse NFT, Lucky Neko, and Mocaverse Relic collection smart contracts. They’ve also locked the relevant contracts and made a snapshot of all the data for non-upgradable contracts. And let’s not forget OpenSea, one of the OG NFT marketplaces. They’re teaming up with Thirdweb to tackle this issue head-on.
Final Thoughts
This whole vulnerability in the open-source library is a reminder that security is no joke when it comes to NFTs. As the NFT craze keeps on truckin’, it’s essential for developers, platform operators, and users to stay on their toes and take the necessary steps to protect their precious assets.
Stay in the loop, stay cautious, and you’ll be on your way to a safer and more enjoyable NFT journey. You got this!
