@openzeppelin/contracts@4.8.1 vulnerabilities

Secure Smart Contract library for Solidity

Direct Vulnerabilities

Known vulnerabilities in the @openzeppelin/contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Out-of-bounds Read

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Out-of-bounds Read due to the Base64.encode function. An attacker can corrupt the output by manipulating the extra bits that are kept between the encoding and padding when the input is not a multiple of 3, leading to parts of the memory beyond the input buffer being read.

Note: These conditions are more frequent in the following scenarios:

  1. A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.

  2. The memory pointer is set to a non-empty memory location before allocating the input.

How to fix Out-of-bounds Read?

Upgrade @openzeppelin/contracts to version 4.9.6, 5.0.2 or higher.

>=4.5.0 <4.9.6 >=5.0.0-rc.0 <5.0.2
  • M
Improper Encoding or Escaping of Output

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes.

Note:

This can lead to unintended consequences or incorrect behavior in smart contracts that rely on the accurate identification of the sender.

How to fix Improper Encoding or Escaping of Output?

Upgrade @openzeppelin/contracts to version 4.9.3 or higher.

>=4.0.0 <4.9.3
  • M
Improper Input Validation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts to version 4.9.2 or higher.

>=4.7.0 <4.9.2
  • L
Missing Authorization

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.

Impact:

This issue impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

How to fix Missing Authorization?

Upgrade @openzeppelin/contracts to version 4.9.1 or higher.

>=4.3.0 <4.9.1
  • L
Denial of Service (DoS)

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that a function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

How to fix Denial of Service (DoS)?

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

>=3.2.0 <4.8.3
  • M
Improper Input Validation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Input Validation due to missing signatures length validation of the proposal creation entry point (propose) in GovernorCompatibilityBravo, which allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds, the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the originally intended calldata.

How to fix Improper Input Validation?

Upgrade @openzeppelin/contracts to version 4.8.3 or higher.

>=4.3.0 <4.8.3
  • M
Incorrect Calculation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Calculation. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch have size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf.

How to fix Incorrect Calculation?

Upgrade @openzeppelin/contracts to version 4.8.2 or higher.

>=4.8.0 <4.8.2
  • M
Incorrect Calculation

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Calculation. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch have size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf.

How to fix Incorrect Calculation?

Upgrade @openzeppelin/contracts to version 4.8.2 or higher.

>=4.8.0 <4.8.2