Improper Synchronization Affecting @openzeppelin/contracts package, versions <3.4.0-rc.0



    Attack Complexity High
    User Interaction Required
    Scope Changed
    Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 27 Jan 2021
  • disclosed 27 Jan 2021
  • credit Hubert Ritzdorf, antonper (Anton)

Introduced: 27 Jan 2021

CVE NOT AVAILABLE CWE-662 Open this link in a new tab

How to fix?

Upgrade @openzeppelin/contracts to version 3.4.0-rc.0 or higher.


@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Synchronization via the ERC777 contract. Extending this contract with a custom _beforeTokenTransfer function could allow a reentrancy attack to happen. When burning tokens, _beforeTokenTransfer is invoked before the send hook is externally called on the sender while token balances are adjusted afterwards. At the moment of the call to the sender, which can result in reentrancy, state managed by _beforeTokenTransfer may not correspond to the actual token balances or total supply.