Improper Synchronization Affecting @openzeppelin/contracts package, versions <3.4.0-rc.0


0.0
medium
  • Attack Complexity

    High

  • User Interaction

    Required

  • Scope

    Changed

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JS-OPENZEPPELINCONTRACTS-1065254

  • published

    27 Jan 2021

  • disclosed

    27 Jan 2021

  • credit

    Hubert Ritzdorf, antonper (Anton)

How to fix?

Upgrade @openzeppelin/contracts to version 3.4.0-rc.0 or higher.

Overview

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Synchronization via the ERC777 contract. Extending this contract with a custom _beforeTokenTransfer function could allow a reentrancy attack to happen. When burning tokens, _beforeTokenTransfer is invoked before the send hook is externally called on the sender while token balances are adjusted afterwards. At the moment of the call to the sender, which can result in reentrancy, state managed by _beforeTokenTransfer may not correspond to the actual token balances or total supply.