Homepage
About Snyk

Incorrect Resource Transfer Between Spheres Affecting @openzeppelin/contracts package, versions >=4.6.0 <4.7.2

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-OPENZEPPELINCONTRACTS-2965580
  • published 2 Aug 2022
  • disclosed 2 Aug 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 2 Aug 2022

CVE-2022-35916 Open this link in a new tab
CWE-669 Open this link in a new tab

How to fix?

Upgrade @openzeppelin/contracts to version 4.7.2 or higher.

Overview

@openzeppelin/contracts is a library for contract development.

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via contracts using the cross-chain utilities for Arbitrum L2: CrossChainEnabledArbitrumL2 or LibArbitrumL2. They will classify direct interactions of externally owned accounts (EOAs) as cross-chain calls, even though they are not started on L1.

Note: Any action taken by an EOA on the contract can also be taken by the EOA through the bridge if the issue was not present.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

5.3 medium