CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-34234 – Governor proposal creation may be blocked by frontrunning in OpenZeppelin
https://notcve.org/view.php?id=CVE-2023-34234
07 Jun 2023 — OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. • https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30541 – TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2023-30541
17 Apr 2023 — OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata. The probability of an accidental clash is negligible, but one could be caused deliberately and could cause a reduction in availability. ... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154 • CWE-436: Interpretation Conflict •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30542 – GovernorCompatibilityBravo may trim proposal calldata
https://notcve.org/view.php?id=CVE-2023-30542
16 Apr 2023 — OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal pa... • https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3 • CWE-20: Improper Input Validation •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39384 – OpenZeppelin Contracts initializer reentrancy may lead to double initialization
https://notcve.org/view.php?id=CVE-2022-39384
04 Nov 2022 — OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, breaking the ex... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006 • CWE-665: Improper Initialization •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35961 – ECDSA signature malleability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2022-35961
14 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments. The potentially affected contracts are those that implement signature reuse or... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3610 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35915 – Unbounded gas consumption in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-35915
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31198 – GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-31198
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. ... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561 • CWE-682: Incorrect Calculation •