CVE-2022-39384 – OpenZeppelin Contracts initializer reentrancy may lead to double initialization
https://notcve.org/view.php?id=CVE-2022-39384
04 Nov 2022 — OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible in the scenario described above, breaking the ex... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3006 • CWE-665: Improper Initialization •
CVE-2022-35961 – ECDSA signature malleability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2022-35961
14 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments. The potentially affected contracts are those that implement signature reuse or... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3610 • CWE-354: Improper Validation of Integrity Check Value •
CVE-2022-35915 – Unbounded gas consumption in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-35915
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-35916 – Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls
https://notcve.org/view.php?id=CVE-2022-35916
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578 • CWE-669: Incorrect Resource Transfer Between Spheres •
CVE-2022-31198 – GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals in @openzeppelin/contracts
https://notcve.org/view.php?id=CVE-2022-31198
01 Aug 2022 — OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. ... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561 • CWE-682: Incorrect Calculation •
CVE-2022-31170 – OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
https://notcve.org/view.php?id=CVE-2022-31170
21 Jul 2022 — OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning `false`. `ERC165Checker.supportsInterface` is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The co... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552 • CWE-20: Improper Input Validation CWE-252: Unchecked Return Value •
CVE-2022-31172 – OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
https://notcve.org/view.php?id=CVE-2022-31172
21 Jul 2022 — OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. `SignatureChecker.isValidSignatureNow` is not expected to revert. However, an incorrect assumption about Solidity 0.8's `abi.decode` allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use `SignatureChecker` to check the validity of a signature and handle invalid signatu... • https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552 • CWE-20: Improper Input Validation CWE-347: Improper Verification of Cryptographic Signature •
CVE-2022-31153 – OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli
https://notcve.org/view.php?id=CVE-2022-31153
15 Jul 2022 — OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing ... • https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203 • CWE-664: Improper Control of a Resource Through its Lifetime CWE-863: Incorrect Authorization •
CVE-2021-46320
https://notcve.org/view.php?id=CVE-2021-46320
04 Feb 2022 — In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in place to support multiple inheritance made reentrancy possible, breaking the expectation that there is a single execution. En OpenZeppelin versiones anteriores a v4.4.0 incluyéndola, las funciones d... • https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx • CWE-665: Improper Initialization •
CVE-2021-41264 – UUPSUpgradeable vulnerability in OpenZeppelin Contracts
https://notcve.org/view.php?id=CVE-2021-41264
12 Nov 2021 — OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`. For users unable to upgrade; initialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the f... • https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301 • CWE-665: Improper Initialization •