@openzeppelin/contracts@4.7.0 vulnerabilities

Secure Smart Contract library for Solidity

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Verification of Cryptographic Signature

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via ECDSA.recover and ECDSA.tryRecover due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format.

How to fix Improper Verification of Cryptographic Signature?

Upgrade @openzeppelin/contracts to version 4.7.3 or higher.

<4.7.3
  • M
Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the supportsERC165InterfaceUnchecked() function in ERC165Checker.sol and ERC165CheckerUpgradeable.sol, which can consume excessive resources when processing a large amount of data via an EIP-165 supportsInterface query.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=2.3.0 <4.7.2
  • L
Incorrect Resource Transfer Between Spheres

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via contracts using the cross-chain utilities for Arbitrum L2: CrossChainEnabledArbitrumL2 or LibArbitrumL2. They will classify direct interactions of externally owned accounts (EOAs) as cross-chain calls, even though they are not started on L1.

Note: Any action taken by an EOA on the contract can also be taken by the EOA through the bridge if the issue was not present.

How to fix Incorrect Resource Transfer Between Spheres?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=4.6.0 <4.7.2
  • H
Incorrect Calculation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Calculation via the GovernorVotesQuorumFraction module. This vulnerability is exploitable by passing a proposal to lower the quorum requirements, leading to past proposals possibly becoming executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

How to fix Incorrect Calculation?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

>=4.3.0 <4.7.2
  • H
Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.1.0 <4.7.1
  • H
Information Exposure

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Information Exposure. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

How to fix Information Exposure?

Upgrade @openzeppelin/contracts to version 4.7.1 or higher.

>=4.0.0 <4.7.1