CVE-2022-31198

GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals in @openzeppelin/contracts

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. This issue has been patched in v4.7.2. Users are advised to upgrade. Users unable to upgrade should consider avoiding lowering quorum requirements if a past proposal was defeated for lack of quorum.

OpenZeppelin Contracts es una biblioteca para el desarrollo de contratos inteligentes seguros. Este problema afecta a las instancias de Governor que usan el módulo "GovernorVotesQuorumFraction", un mecanismo que determina los requisitos de quórum como un porcentaje del suministro total del token de votación. En las instancias afectadas, cuando es aprobada una propuesta para reducir los requisitos de quórum, las propuestas anteriores pueden volverse ejecutables si habían sido derrotadas sólo por falta de quórum, y el número de votos que recibió cumple con el nuevo requisito de quórum. El análisis de las instancias en la cadena encontró sólo una propuesta que cumplía esta condición, y estamos monitoreando activamente para nuevas ocurrencias de este problema en particular. Este problema ha sido corregido en versión 4.7.2. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse deberían considerar la posibilidad de no reducir los requisitos de quórum si una propuesta anterior fue rechazada por falta de quórum

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-01 CVE Published
2024-02-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-682: Incorrect Calculation

CAPEC

References (2)

URL	Tag	Source
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-xrc4-737v-9q75	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561	2022-12-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openzeppelin Search vendor "Openzeppelin"		Contracts Search vendor "Openzeppelin" for product "Contracts"				>= 4.3.0 < 4.7.2 Search vendor "Openzeppelin" for product "Contracts" and version " >= 4.3.0 < 4.7.2"		node.js		Affected
Openzeppelin Search vendor "Openzeppelin"		Contracts Upgradeable Search vendor "Openzeppelin" for product "Contracts Upgradeable"				>= 4.3.0 < 4.7.2 Search vendor "Openzeppelin" for product "Contracts Upgradeable" and version " >= 4.3.0 < 4.7.2"		node.js		Affected