Security News > 2023 > December > Multiple NFT collections at risk by flaw in open-source library
A vulnerability in an open-source library that is common across the Web3 space impacts the security of pre-built smart contracts, affecting multiple NFT collections, including Coinbase.
"If you used our Solidity SDK to extend our base contract or built a custom contract, we don't believe the vulnerability extends to your contract," explains Thirdweb, adding that this is not a guarantee because they "Are unable to audit individual contracts."
Thirdweb said that smart contract owners must take mitigation measures immediately for all pre-built contracts created before November 22, 2023, at 7 pm PT. The advice is to lock the vulnerable contracts, take a snapshot, and then migrate it to a new contract created with a non-vulnerable version of the library.
The mainatainers of the OpenZeppelin library for smart contract development were also informed of the issue affecting Thirdweb's versions of DropERC20, ERC721, ERC1155, and AirdropERC20 pre-built contract.
Mocaverse, the membership NFT collection for the Animoca Brands ecosystem, also updated its users that their assets are safe and that it "Successfully upgraded the Mocaverse NFT, Lucky Neko, and Mocaverse Relic collection smart contracts to close the relevant security vulnerability."
"For the contracts that are not upgradable, including the Realm Ticket and Honorary Collection, we have locked the relevant contracts and taken a snapshot of all the data, and will subsequently allow the original holders to claim the NFTs based on previous holding via Thirdweb based on a new smart contract without the known vulnerability" - Mocaverse.