Thirdweb, a Web3 developer platform, posted on X platform that they discovered a security vulnerability in commonly used open source libraries in the Web3 industry at 10:00 on November 21st Beijing time. This will affect various smart contracts in the Web3 ecosystem, including some pre-built smart contracts by Thirdweb. According to investigations so far, this vulnerability has not been exploited in ThirdWeb smart contracts. However, smart contract owners must take mitigating measures for certain pre-built contracts created on ThirdWeb before 11:00 on November 23rd Beijing time. Affected pre-built contracts include but are not limited to DropERC20, ERC721, ERC1155 (all versions), and AirdropERC20.

Thirdweb stated that the top priority is to protect affected customers from this vulnerability. If contract builders deployed one of these pre-built smart contracts using Thirdweb's dashboard or SDK before 11:00 on November 23rd Beijing time, they need to take some steps to mitigate potential exploitation of this vulnerability. In most cases, mitigation measures will involve locking the contract, taking a snapshot, and migrating to a new contract without known vulnerabilities.

It should be noted that if the contract builder's holder has locked tokens in any liquidity or staking pool, they should withdraw these tokens before starting these steps. Otherwise, the contract builder will not be able to distribute new tokens to these users. In addition, contract builders should use http://revoke.cash to request that their users revoke approval for all ThirdWeb contracts. The team has successfully launched remedial measures for all affected pre-built contracts created for Thirdweb after 11:00 on November 23rd Beijing time. All other ThirdWeb services, including wallets, payments, and infrastructure services, are not affected and operate as usual.