Incident Overview
On Thursday, Jill Gunter, co-founder of the cryptocurrency platform Espresso, disclosed that her digital wallet was compromised, leading to the loss of over $30,000 in USDC stablecoin. This unfortunate event was linked to a security flaw within a contract from Thirdweb, a firm she had previously utilized for transactions. Gunter, who has spent a decade in the crypto sector, made this announcement via her social media channels while also preparing for a presentation focused on cryptocurrency privacy at an event in Washington, D.C.
Timeline of Events
Gunter detailed the timeline of events, noting that the incident occurred on December 9, with the theft taking place just after she transferred funds into her wallet the day prior, anticipating an angel investment later that week. The stolen tokens were moved from her jrg.eth wallet to an address known as 0xF215, which upon investigation revealed the involvement of a contract identified as 0x81d5. Through her digging, Gunter pinpointed the compromised bridge contract from Thirdweb, explaining that she had only recently used it for a minor transaction of $5.
Security Vulnerabilities
In her follow-up communications, Gunter shared that Thirdweb had previously alerted her of a vulnerability in the bridge contract back in April. This weakness allowed unauthorized access to users’ funds, especially for those who had granted unlimited token permissions. After this incident became public, the contract in question was marked as compromised on Etherscan, a popular blockchain analytics platform.
Community Response
Without assurances of recovering her losses, Gunter described such incidents as an inherent risk of the cryptocurrency landscape. She expressed her intention to donate any recovered assets to the SEAL Security Alliance, urging others in the community to consider similar contributions to bolster security efforts.
Thirdweb’s Statement
In reaction to the situation, Thirdweb released a public statement explaining that the breach stemmed from a legacy contract that had not been adequately decommissioned during the remediation of the prior vulnerability. They assured users that this legacy contract has now been disabled permanently and confirmed that no other wallets or funds are currently in jeopardy.
Broader Context
In a broader context, Thirdweb also faced scrutiny for a significant vulnerability identified in late 2023 affecting a commonly utilized open-source library. Security expert Pascal Caversaccio criticized Thirdweb’s announcement strategy, contending that their disclosure of vulnerable contracts could inadvertently inform potential attackers. According to ScamSniffer, a blockchain security firm, more than 500 token contracts were influenced by the vulnerability from 2023, resulting in at least 25 of them being exploited.
