@openzeppelin/contracts-upgradeable@4.6.0 vulnerabilities

Secure Smart Contract library for Solidity

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts-upgradeable package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Out-of-bounds Read

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the Base64.encode function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read.

Note: These conditions are more frequent in the following scenarios:

  1. A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.

  2. The memory pointer is set to a non-empty memory location before allocating the input.

How to fix Out-of-bounds Read?

Upgrade @openzeppelin/contracts-upgradeable to version 4.9.6, 5.0.2 or higher.

>=4.5.0 <4.9.6 >=5.0.0-rc.0 <5.0.2
  • M
Improper Encoding or Escaping of Output

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

How to fix Improper Encoding or Escaping of Output?

Upgrade @openzeppelin/contracts-upgradeable to version 4.9.3 or higher.

>=4.0.0 <4.9.3
  • L
Missing Authorization

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.

Impact:

This issue impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

How to fix Missing Authorization?

Upgrade @openzeppelin/contracts-upgradeable to version 4.9.1 or higher.

>=4.3.0 <4.9.1
  • L
Denial of Service (DoS)

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts-upgradeable to version 4.8.3 or higher.

>=3.2.0 <4.8.3
  • M
Improper Input Validation

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Improper Input Validation due to missing signatures length validation of the proposal creation entry point (propose) in GovernorCompatibilityBravo, which allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds, the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the originally intended calldata.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts-upgradeable to version 4.8.3 or higher.

>=4.3.0 <4.8.3
  • H
Improper Verification of Cryptographic Signature

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

How to fix Improper Verification of Cryptographic Signature?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.3 or higher.

<4.7.3
  • M
Denial of Service (DoS)

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

>=3.2.0 <4.7.2
  • L
Incorrect Resource Transfer Between Spheres

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via contracts using the cross-chain utilities for Arbitrum L2: CrossChainEnabledArbitrumL2 or LibArbitrumL2. They will classify direct interactions of externally owned accounts (EOAs) as cross-chain calls, even though they are not started on L1.

Note: Any action taken by an EOA on the contract can also be taken by the EOA through the bridge if the issue was not present.

How to fix Incorrect Resource Transfer Between Spheres?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

>=4.6.0 <4.7.2
  • H
Incorrect Calculation

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Incorrect Calculation via the GovernorVotesQuorumFraction module. This vulnerability is exploitable by passing a proposal to lower the quorum requirements, leading to past proposals possibly becoming executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

How to fix Incorrect Calculation?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

>=4.3.0 <4.7.2
  • H
Information Exposure

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Information Exposure. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.1 or higher.

>=4.1.0 <4.7.1
  • H
Information Exposure

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.1 or higher.

>=4.0.0 <4.7.1