Mediaboss Marketing

Thirdweb, a Web3 software development kit (SDK) provider, confirmed the presence of a security vulnerability in a widely used open-source library, impacting numerous Web3 smart contracts, according to a Dec. 4 statement on social media platform X (formerly Twitter).

The firm stated that the vulnerability was initially identified on Nov. 20 and impacted a variety of smart contracts across the web3 ecosystem, including some of its pre-built smart contracts.

However, itclarified that the vulnerability has yet to be exploited and refrained from disclosing the open-source library to prevent potential exploitation. The firm wrote:

Based on our investigation so far, this vulnerability has not been exploited in any thirdweb smart contracts. However, smart contract owners must take mitigation steps on certain pre-built smart contracts that were created on thirdweb prior to November 22nd, 2023 at 7pm PT.

Thirdweb identified 13 affected smart contracts, including AirdropERC20, ERC721, ERC1155, and others, impacted by the vulnerability.

Smart contract owners are advised to take proactive mitigation steps to prevent exploitation. Additionally, Thirdweb assured ongoing efforts with security partners to develop tools for easy identification and execution of necessary mitigation measures.

Depending on the contracts nature, these steps might involve contract locking, snapshot creation, and migration to a new contract. Additionally, users of these contracts are encouraged to revoke approvals on all Thirdweb contracts.

Thirdweb is also increasing the bounty rewards for its platform to $50,000 and is implementing a more rigorous auditing process.

Meanwhile, 0xngmi, the pseudonymous developer of DeFillama, urged the community to revoke their approvals to thirdweb contracts because people might have interacted with them without knowing as they are white-labeled.

Several NFT projects, including OpenSea, have responded to concerns raised by the vulnerability.

OpenSea confirmed discussions with Thirdweb regarding security concerns in specific NFT collections. The NFT platform hinted at forthcoming support for affected collection owners and anticipated changes related to contract migration on their platform.

Some NFT collections like CoolCats and ApesRare have reassured their holders they are not affected by these vulnerabilities.

However, Thirdwebs disclosure approach has received criticism within the community.

View post:

Web3 developer Thirdweb boosts bounty to $50,000 in light of fresh smart contract security risks - CryptoSlate

According to CertiK, the TIME token was exploited recently, resulting in a loss of approximately $188k.

The attack began with the exploiter converting 5 ETH to Wrapped Ether (WETH), and then trading this for over 3.4 billion TIME tokens.

CertiK analysts reported that the exploits root cause was the manipulation of the Forwarder contract, which is designed to execute transactions from any address. The attacker crafted a request with a falsified sender address, which they controlled, and a matching signature. This deceptive req passed the Forwarder contracts verification process.

The attacker leveraged a parsing error, where the TIME contract was deceived into recognizing an attacker-controlled address as legitimate. As a result, the TIME contract erroneously burned a massive amount of tokens from the target pool controlled by the attacker, rather than the intended address.

The attacker burned over 62 billion TIME tokens, leading to a drastic reduction in the token pool. The tokens were then exchanged for a substantial amount of WETH, eventually converting these back to ETH, including a portion used for a bribe in the process.

This incident highlights the underlying vulnerabilities in smart contracts, where even a minor error can lead to substantial financial losses.

See more here:

Smart contract exploit in TIME token leads to $188k loss - crypto.news

The convergence of technology and finance in the age of digital transformation has resulted in a ground-breaking invention called smart contracts. These blockchain-powered self-executing contracts are hailed as a revolution in the creation and performance of contracts. As we learn more about smart contracts, it becomes evident that they have the power to completely change the way that transactions are conducted by providing previously unheard-of levels of efficiency, transparency, and trust.

Understanding Smart Contracts

Self-executing contracts, or smart contracts, have the terms of the contract directly encoded into the code. These contracts are executed automatically and enforce the terms when predefined conditions are met. They are primarily implemented on Ethereum blockchain platforms. By doing away with the need for middlemen, procedures can be streamlined and the likelihood of conflicts decreased.

The Operation of Smart Contracts

Smart contracts, which are based on decentralized blockchain networks, secure and verify transactions using cryptographic concepts. The code is a set of guidelines and requirements; the contract comes into effect automatically when these requirements are met. This automation guarantees that the terms are followed without requiring human intervention and lowers the possibility of errors.

Applications Across Industries

Applications for smart contracts can be found in many different industries, and they offer increased security and efficiency. They make transaction settlement in finance smooth and quick. Smart contracts in real estate handle rental agreements and automate the transfer of property titles. Insurance, supply chain management, and even legal procedures can all profit

See the rest here:

The Future of Trust and Efficiency in Transactions - Medium

With nearly 41 million LINK tokens, the smart contract for Chainlinks v0.2 community staking pool has become the top holder of LINK, according to blockchain analytics firm Nansen.

The Chainlink community pool has filled.

Photo by Lee Jeffs on Unsplash

Posted December 7, 2023 at 6:19 pm EST.

Chainlinks recently debuted staking pool for community members reached its maximum limit Thursday evening, drawing in a total of more than $620 million at mark-to-market prices.

With nearly 41 million LINK tokens, the smart contract for Chainlinks v0.2 community staking pool has become the top holder of LINK, according to blockchain analytics firm Nansen. The second place belongs to an address controlled by Binance, which holds 38 million tokens, while smart contracts labeled as Chainlink: Non-Circulating Supply, take up spots #3 to #17.

Because we are seeing a consistent increase in the amount of value secured by and paid for over the Chainlink Network, its increasingly important to improve the cryptoeconomic security of the network, said Chainlink co-founder Sergey Nazarov in a press release shared with Unchained. Staking v0.2 introduces important new security features and sets the system up for even further growth in the year to come.

The community staking pool reached its limit less than two weeks after the initial launch of Chainlinks v0.2. This comes as several market forces have lifted the crypto ecosystem to a total market capitalization of $1.6 trillion.

Despite its recent success, the value of Chainlinks staking market pales compared to the total amount of staked ETH and SOL, which are valued at about $68 billion and $26 billion, respectively, based on Unchaineds calculations of data from blockchain explorer Solscan and a Nansen dashboard.

LINK, the native token for the decentralized computing platform, is currently exchanging hands at $15.38, a 7.5% increase in the past seven days, data from CoinGecko shows.

See the rest here:

Chainlink Community Staking Pool Full, Drawing More Than $620M - Unchained

Soon after Thirdweb revealed a security vulnerability that could impact a variety of common smart contracts used across the Web3 ecosystem, OpenZeppelin identified two specific standards as the root cause of the threat.

On Dec. 4, Thirdweb reported a vulnerability in a commonly used open-source library, which could impact pre-built contracts, including DropERC20, ERC-721, ERC-1155 (all versions) and AirdropERC20.

In response, smart contracts development platform OpenZepplin and nonfungible token marketplaces Coinbase NFT and OpenSea proactively informed users about the threat. Upon further investigation, OpenZepplin found that the vulnerability stems from a problematic integration of two specific standards: ERC-2771 and Multicall.

The smart contract vulnerability in question arises after the integration of ERC-2771 and multicall standards. OpenZepplin identified 13 sets of vulnerable smart contracts, as shown below. However, crypto service providers are advised to address the issue before bad actors find a way to exploit the vulnerability.

OpenZepplins investigation found that the ERC-2771 standard allows overriding certain call functions. This could be exploited to extract the senders address information and spoof calls on their behalf.

OpenZepplin advised the Web3 community using the aforementioned integrations to use a 4-step method for ensuring safety: disable every trusted forwarder, pause contract and revoke approvals, prepare an upgrade and evaluate snapshot options.

In addition, Thirdweb launched a mitigation tool that allows users to connect their wallets and identify if a contract is vulnerable.

The decentralized finance platform Velodrome also deactivated its relay services until a new version was installed.

Related: Coinbases Base network gets OpenZeppelin security integration

In a recent Cointelegraph Magazine article, experts revealed how artificial intelligence (AI) can help audit smart contracts and aid cybersecurity efforts.

James Edwards, the lead maintainer for cybersecurity investigator Librehash, said that while AI chatbots can develop smart contracts, deploying them in a live environment is risky.

On the other hand, Edwards highlighted the technologys potential to vet smart contracts. Recent tests showed AIs ability to audit contracts with an unprecedented amount of accuracy that far surpasses what one could expect and would receive from GPT-4.

While he concedes its not as good as a human auditor yet, it can already do a strong first pass to speed up the auditors work and make it more comprehensive.

Magazine: Lawmakers fear and doubt drives proposed crypto regulations in US

Continue reading here:

ERC-2771 integration introduces address spoofing vulnerability OpenZeppelin - Cointelegraph