Engine - Security updates + more

Phillip Ho

Engine is used by web2 and web3 companies for production use, powering 10M+ transactions per week. Making sure your Engine is secure and your funds are safe are critical, so here's security improvements we made (v2.1.20) and what's coming up.

Security audit

We've completed our second code and infrastructure assessment from an independent third party auditor and will be sharing the report shortly.

No critical vulnerabilities were identified, and all reported issues were addressed.

Security updates

  • Improved CORS response handling. Clearer logs + responses if calls are made from invalid origins.
  • Added modern browser security headers to restrict unused permissions (embedding, geolocation, camera, etc.).
  • Updated dependencies to address publicly reported vulnerabilities.

Other notable updates

  • singlePhaseDrop added to all claim-to endpoints allowing users to set claim conditions and claim tokens in a single phase for custom drop contracts.
  • gasPrice can now be overridden allowing users to explicitly set the gas price for pre-EIP1559 chains.
    • Post-EIP1559 chains should continue to use maxFeePerGas and maxPriorityFeePerGas overrides, if needed.
{
// ...write request body
txOverrides: {
"gasPrice": "50000000000" // pre-EIP1559
// "maxFeePerGas": "50000000000" // post-EIP1559
}
}
  • All /mint-to endpoints were updated to thirdweb v5 SDK and should have greatly improved response times.
  • Idempotency keys up to 200 characters are now supported.
  • The codebase is updated with better organization and code standards, and we're enforcing linting rules moving forward.

thirdweb is hiring!

The small team at thirdweb is on a mission to build the most intuitive and complete web3 platform. Our products empower over 70,000 developers each month including Shopify, AWS, Coinbase, Rarible, Animoca Brands, and InfiniGods.

See our open roles. We’d love to work with you!