Missing Authorization Affecting @openzeppelin/contracts-upgradeable package, versions >=4.3.0 <4.9.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-5672117
- published 8 Jun 2023
- disclosed 8 Jun 2023
- credit Lior Abadi, Joaquin Pereyra
Introduced: 8 Jun 2023
CVE-2023-34234 Open this link in a new tabHow to fix?
Upgrade @openzeppelin/contracts-upgradeable
to version 4.9.1 or higher.
Overview
@openzeppelin/contracts-upgradeable is a Secure Smart Contract library for Solidity.
Affected versions of this package are vulnerable to Missing Authorization. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.
Note: In order for this attack to succeed, an attacker would need to have prior knowledge of a proposal creation.
Impact:
This issue impacts the Governor
contract in v4.9.0 only, and the GovernorCompatibilityBravo
contract since v4.3.0.
Workaround
Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection.