Jill Gunter, co-founder of Espresso, reported Thursday that her crypto wallet was drained due to a vulnerability in a Thirdweb contract, according to statements posted on social media.
Summary
- Crypto veteran Jill Gunter reported the theft of over $30,000 in USDC from her wallet, which was drained on Dec. 9 and routed through Railgun.
- The vulnerability stemmed from a legacy Thirdweb contract that allowed access to funds with unlimited token approvals.
- The incident followed a separate 2023 open-source library flaw that affected more than 500 token contracts and was exploited at least 25 times, according to ScamSniffer.
Gunter, described as a 10-year veteran of the cryptocurrency industry, said more than $30,000 in USDC stablecoin was stolen from her wallet. The funds were transferred to the privacy protocol Railgun while she was preparing a presentation on cryptocurrency privacy for an event in Washington, D.C., according to her account.
In a follow-up post, Gunter detailed the investigation into the theft. The transaction that drained her jrg.eth address occurred on December 9, with the tokens having been moved into the address the day before in anticipation of funding an angel investment planned for that week, she stated.
Although the tokens were transferred from jrg.eth to another address identified as 0xF215, the transaction showed a contract interaction with 0x81d5, according to Gunter’s analysis. She identified the vulnerable contract as a Thirdweb bridge contract she had previously used for a $5 transfer.
Thirdweb informed Gunter that a vulnerability had been discovered in the bridge contract in April, she reported. The vulnerability allowed anyone to access funds from users who had approved unlimited token permissions. The contract has since been labeled as compromised on Etherscan, a blockchain explorer.
Gunter stated she did not know whether she would receive reimbursement and characterized such risks as an occupational hazard in the cryptocurrency industry. She pledged to donate any recovered funds to the SEAL Security Alliance and encouraged others to consider donations as well.
Thirdweb published a blog post stating the theft resulted from a legacy contract not being properly decommissioned during its April 2025 vulnerability response. The company said it has permanently disabled the legacy contract and that no user wallets or funds remain at risk.
In addition to the vulnerable bridge contract, Thirdweb disclosed a wide-reaching vulnerability in late 2023 in a commonly used open-source library. Security researcher Pascal Caversaccio of SEAL criticized Thirdweb’s disclosure approach, stating that providing a list of vulnerable contracts gave malicious actors advance warning.
According to analysis by ScamSniffer, a blockchain security firm, over 500 token contracts were affected by the 2023 vulnerability and at least 25 were exploited.
