Incorrect Resource Transfer Between Spheres Affecting @openzeppelin/contracts-upgradeable package, versions >=4.6.0 <4.7.2


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2965581
  • published 2 Aug 2022
  • disclosed 2 Aug 2022
  • credit Unknown

How to fix?

Upgrade @openzeppelin/contracts-upgradeable to version 4.7.2 or higher.

Overview

@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via contracts using the cross-chain utilities for Arbitrum L2: CrossChainEnabledArbitrumL2 or LibArbitrumL2. They will classify direct interactions of externally owned accounts (EOAs) as cross-chain calls, even though they are not started on L1.

Note: Any action taken by an EOA on the contract can also be taken by the EOA through the bridge if the issue was not present.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.7 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

5.3 medium