Improper Synchronization Affecting @openzeppelin/contracts package, versions <3.4.0-rc.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-OPENZEPPELINCONTRACTS-1065254
  • published27 Jan 2021
  • disclosed27 Jan 2021
  • creditHubert Ritzdorf, antonper (Anton)

Introduced: 27 Jan 2021

CVE NOT AVAILABLE CWE-662  (opens in a new tab)

How to fix?

Upgrade @openzeppelin/contracts to version 3.4.0-rc.0 or higher.

Overview

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Improper Synchronization via the ERC777 contract. Extending this contract with a custom _beforeTokenTransfer function could allow a reentrancy attack to happen. When burning tokens, _beforeTokenTransfer is invoked before the send hook is externally called on the sender while token balances are adjusted afterwards. At the moment of the call to the sender, which can result in reentrancy, state managed by _beforeTokenTransfer may not correspond to the actual token balances or total supply.

CVSS Scores

version 3.1