A flaw in an open source library that is common across the Web3 space affects the Security of pre-built smart contracts, affecting many NFT collections, including Coinbase.
See also: Porsche shuts down its new NFT program - phishing sites appear
The revelation came earlier than the platform development Web3 Thirdweb. The notice provides very little detail, which annoyed some users who wanted clarification that could help them protect their contracts.
The Thirdweb reported that it became aware of the security problem on November 20 and applied a fix two days later, but did not disclose the name of the library and the type or severity of the vulnerability to deter the attackers.
The company says it has contacted the responsible parties of the vulnerable library affecting many NFT collections and has also informed other protocols and organizations about the problem, sharing findings and remedies.
The following smart contracts are affected by the defect:
- AirdropERC20 (v1.0.3 and later), ERC721 (v1.0.4 and later), ERC1155 (v1.0.4 and later) ERC20Claimable, ERC721Claimable, ERC1155Claimable
- BurnToClaimDropERC721 (all versions)
- DropERC20, ERC721, ERC1155 (all versions)
- LoyaltyCard
- MarketplaceV3 (All versions)
- Multiwrap, Multiwrap_OSRoyaltyFilter
- OpenEditionERC721 (v1.0.0 and later)
- Pack and Pack_OSRoyaltyFilter
- TieredDrop (all versions)
- TokenERC20, ECRC721, ERC1155 (all versions)
- SignatureDrop, SignatureDrop_OSRoyaltyFilter
- Split (low impact)
- TokenStake, NFTStake, EditionStake (All versions)
See also: Spotify is testing playlists that will be unlocked by NFT holders
"If you used our Solidity SDK to extend our base contract or build a custom contract, we don't believe that the vulnerability is propagated in your contract," Thirdweb explains, adding that this is not a guarantee because they cannot control individual contracts.
Thirdweb shared the details of the exploit with the maintainers of the affected library and reported that it has not seen the vulnerability used in attacks.
The lack of details has led some users to ask for clarification or to assume that the problem lies in Thirdweb's implementation of the library.
One user complained about the lack of transparency, asking for the CVE (Common Vulnerabilities and Exposures) ID of the vulnerability and an explanation of how the remediation works.
Thirdweb states that contract owners should immediately take remedial action for all pre-constructed contracts created before November 22, 2023, at 7 p.m. PT. It is recommended to lock vulnerable contracts, take an image snapshot, and then transfer it to a new contract created with a non-vulnerable version of the library. Here a dedicated tool and a video tutorial on how to deal with affected contracts is provided.
See also: Google Play: Changes policy for blockchain-based apps
What are NFTs?
NFTs, are digital goods that use the technology blockchain to allow their exclusive ownership and exchange. Each NFT is unique and differentiated from the rest, making its owner's object unique. This is achieved through smart contracts technology, which enables the automatic execution of agreed terms and conditions for the exchange and transfer of NFTs.
The operation of NFTs is based on Technology blockchain, where each NFT is recorded and stored in a decentralised distributed ledger. This ensures data integrity and non-tampering, making NFTs secure and reliable.
NFTs can be represented in various formats, such as images, videos, music and even virtual objects in Games. Each time an NFT is bought or sold, the transactions are recorded on the blockchain, providing transparency and transaction history.NFTs have emerged as a way to artists, creators and fans to harness digital art and their creative works. Artists can create and sell their own NFTs, allowing direct transactions with their fans without the need for intermediaries.
Source: bleepingcomputer
