0xChew (0xchew)

I was the auditor that identified and reported a vulnerability in thirdweb's contracts. Now that the issue is public, I can talk about how it was discovered and how it all went down.

• 2 replies
• 6 recasts
• 21 reactions

I was the auditor that identified and reported a vulnerability in thirdweb's contracts. Now that the issue is public, I can talk about how it was discovered and how it all went down.

• 2 replies
• 6 recasts
• 21 reactions

The biggest lesson to take away is no matter how widely adopted and trusted contracts are, if they are secure independently, they still may not be secure when used together, no matter how trivial they may seem.

• 0 replies
• 0 recasts
• 2 reactions

The underlying cause of this issue--i.e. the interaction between meta transactions and self-delegate/low-level calls--was not properly documented or well known.

• 1 reply
• 0 recasts
• 2 reactions

Upon learning about this, I recognized many of thirdweb’s contracts followed the same pattern and were vulnerable. I immediately wrote up a POC and contacted thirdweb, which then started the chain of events leading up to now.

• 1 reply
• 0 recasts
• 1 reaction