I was the auditor that identified and reported a vulnerability in thirdweb's contracts. Now that the issue is public, I can talk about how it was discovered and how it all went down.

This is practically a new attack vector. I came across the vuln while auditing another project; one of @Iosiro_security’s internal reports listed this critical issue for their own client.

Upon learning about this, I recognized many of thirdweb’s contracts followed the same pattern and were vulnerable. I immediately wrote up a POC and contacted thirdweb, which then started the chain of events leading up to now.

I worked with thirdweb to determine which contracts were vulnerable and supported their mitigation efforts. They worked absolutely non-stop.

I was impressed with their professionalism and commitment to resolving this issue as best as they could for their customers, users, and the community at large.

If you’re still not sure if your contracts are affected, use their mitigate tool to find out: mitigate.thirdweb.com.

The underlying cause of this issue--i.e. the interaction between meta transactions and self-delegate/low-level calls--was not properly documented or well known.

Warnings, at the very least, should be added to all meta transaction repositories regarding this interaction, with explicit remarks about its use with multicall functionality, to prevent this situation from occurring again.

The biggest lesson to take away is no matter how widely adopted and trusted contracts are, if they are secure independently, they still may not be secure when used together, no matter how trivial they may seem.