On Thursday, Jill Gunter, co-founder of Espresso, a “base layer for rollups,” informed her followers on X that her wallet had been depleted due to a vulnerability in the ThirdWeb contract.
The 10-year cryptocurrency industry veteran pointed out the “deep irony” that her funds were funneled into the privacy protocol railgun while she was “writing a defense of privacy protection in cryptocurrencies to present in Washington, D.C. next week.”
In a follow-up thread, Gunter explained the process of investigating how over $30,000 in USDC was lost.
read more: ZachXBT cracks Railgun privacy and exposes Bittensor hackers
The transaction that exposed Gunter’s jrg.eth address occurred on December 9th.
The tokens had been moved to that address the day before the theft “in anticipation of funding an angel investment that was planned this week.”
The token was moved from jrg.eth to another (0xF215), but the transaction shows a contract interaction with 0x81d5.
Gunter discovered that the vulnerable contract that caused his wallet to be depleted was a third-web bridge contract that he had previously used to make a “$5 transfer.”
We contacted Thirdweb and were informed that a vulnerability was discovered in the bridge contract in April. This allows “anyone to access the funds of users who click through and accept unlimited token authorization.”
In fact, this agreement has been labeled as infringed on Etherscan.
read more: Explained: How just $0.05 was stolen in crypto’s “biggest supply chain attack”
A Thirdweb blog post published today states that the theft “results from legacy contracts not being properly retired during the April 2025 vulnerability response.”
Thirdweb has “permanently revoked legacy contracts, and users’ wallets and funds are no longer at risk.”
Gunter praised the SEAL Security Alliance’s response, pledged to donate any potential reimbursement, and called on others to do the same.
Thirdweb’s second rodeo
In addition to the vulnerable bridge contract, ThirdWeb previously disclosed widespread vulnerabilities in late 2023.
It notified the cryptocurrency community that “a commonly used open source library has a security vulnerability.”
Pascal Cabersaccio, a security researcher and SEAL, called Third Web’s statement “not a responsible disclosure.” He argued that providing a list of vulnerable contracts would give black hat hackers a “head start.”
More than 500 token contracts were affected and at least 25 were exploited, according to an analysis by cryptocurrency fraud tracking firm ScamSniffer.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
