@openzeppelin/contracts@4.3.0 vulnerabilities

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

Upgrade @openzeppelin/contracts to version 4.9.3 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.

Impact:

This issue impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

Upgrade @openzeppelin/contracts to version 4.9.1 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation due to missing signatures length validation of the proposal creation entry point (propose) in GovernorCompatibilityBravo, which allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds, the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the originally intended calldata.

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

Upgrade @openzeppelin/contracts to version 4.7.3 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Calculation via the GovernorVotesQuorumFraction module. This vulnerability is exploitable by passing a proposal to lower the quorum requirements, leading to past proposals possibly becoming executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Function Call With Incorrect Argument. The GovernorCompatibilityBravo module may lead to the creation of governance proposals that execute function calls with incorrect arguments due to bad ABI encoding.

Upgrade @openzeppelin/contracts to version 4.4.2 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

NOTE: This vulnerability has also been identified as: CVE-2021-46320

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It is possible for initializer() protected functions to be executed twice, if this happens in the same transaction. For this to happen, either one call has to be a subcall to the other, or both calls have to be subcalls of a common initializer() protected function. This can be particularly dangerous if the initialization is not part of the proxy construction, and reentrancy is possible by executing an external call to an untrusted address.

NOTE: This vulnerability has also been identified as: CVE-2022-39384

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Numeric Errors. When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, the total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation.

Upgrade @openzeppelin/contracts to version 4.3.3 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Initialization via uninitialized implementation contracts using UUPSUpgradeable.

Upgrade @openzeppelin/contracts to version 4.3.2 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation. Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts.

Due to this vulnerability, it is recommended that all projects using the UUPS proxy pattern should initialize their implementation contracts, even after upgrading to the fixed version. An example of how to do this is here.

Upgrade @openzeppelin/contracts to version 4.3.2 or higher.

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Privilege Escalation. A vulnerability in TimelockController allowed an actor with the executor role to escalate privileges.

As a workaround, revoke the executor role from accounts not strictly under the team's control. It is recommended to revoke all executors that are not also proposers. When applying this mitigation, ensure there is at least one proposer and executor remaining.

Upgrade @openzeppelin/contracts to version 4.3.1, 3.4.2 or higher.