Improper Synchronization Affecting @openzeppelin/contracts package, versions <3.4.0-rc.0
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-OPENZEPPELINCONTRACTS-1065254
- published 27 Jan 2021
- disclosed 27 Jan 2021
- credit Hubert Ritzdorf, antonper (Anton)
How to fix?
Upgrade @openzeppelin/contracts to version 3.4.0-rc.0 or higher.
Overview
@openzeppelin/contracts is a library for contract development.
Affected versions of this package are vulnerable to Improper Synchronization via the ERC777 contract. Extending this contract with a custom _beforeTokenTransfer function could allow a reentrancy attack to happen. When burning tokens, _beforeTokenTransfer is invoked before the send hook is externally called on the sender while token balances are adjusted afterwards. At the moment of the call to the sender, which can result in reentrancy, state managed by _beforeTokenTransfer may not correspond to the actual token balances or total supply.