Overview
The thirdweb MCP server enables unauthorized cryptocurrency transactions through its MCP integration. Attackers can exploit the server to initiate transactions from connected wallets without proper authorization.
Who Is Affected
Reported by mcpsec.dev. Affects users of the thirdweb MCP server who connect it to cryptocurrency wallets for AI-assisted blockchain development and management.
Where It Exists
The vulnerability is in the thirdweb MCP server's transaction authorization flow. The server provides MCP tools for blockchain interactions that lack adequate access controls on transaction-signing operations.
When It Was Found
Advisory published September 3, 2025 on mcpsec.dev.
How It Works
An attacker exploits the thirdweb MCP server's transaction tools (via direct access to the unauthenticated endpoint or through prompt injection in content the agent processes) to initiate cryptocurrency transactions. The server's wallet integration processes these as legitimate tool calls, signing and broadcasting transactions from the connected wallet.
Impact
Direct financial loss through unauthorized cryptocurrency transactions. Attackers can drain connected wallets, transfer tokens, or interact with smart contracts on behalf of the victim. Unlike traditional exploits, cryptocurrency transactions are irreversible once confirmed on-chain.
Mitigation
Require explicit user confirmation for all transaction-signing operations. Implement spending limits and allowlists for transaction recipients. Use hardware wallet signing that requires physical confirmation. Bind the MCP server to localhost only. Add authentication to the SSE endpoint.