Lucene search
K

553 matches found

Cvelist
Cvelist
added 2024/02/29 6:18 p.m.16 views

CVE-2024-27094 OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The...

6.5CVSS6.5AI score0.00763EPSS
Exploits0References5
CVE
CVE
added 2024/02/29 6:18 p.m.107 views

CVE-2024-27094

OpenZeppelin Contracts Base64.encode has a memory-read flaw when input length is not a multiple of 3, risking corruption of the encoded output. This affects OpenZeppelin Contracts (and upgradeable) prior to versions 5.0.2 and 4.9.6. Remediation: upgrade to 5.0.2 or 4.9.6. No exploit details are p...

7.4CVSS6.3AI score0.00763EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2024/02/29 6:18 p.m.16 views

CVE-2024-27094 OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

OpenZeppelin Contracts is a library for secure smart contract development. The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. The...

6.5CVSS6.3AI score0.00763EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2024/02/29 12:0 a.m.7 views

PT-2024-21645

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts versions prior to 4.9.6 OpenZeppelin Contracts versions prior to 5.0.2 Description The Base64.encode function in OpenZeppelin Contracts encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is...

7.4CVSS6.5AI score0.00763EPSS
Exploits0References12
Code423n4
Code423n4
added 2024/01/08 12:0 a.m.13 views

GovernorOLAS is susceptible to DOS via proposal frontrunning

Lines of code Vulnerability details Impact The GovernorOLAS contract inherits from OpenZeppelin's GovernorCompatibilityBravo v4.8.3, which has a known vulnerability in the proposal creation process that can be exploited to halt proposals sent to the governor. The root cause of this vulnerability ...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2024/01/08 12:0 a.m.21 views

Signatures can be replayed to cast with castVoteWithReasonAndParamsBySig() more votes than the user intended in GovernorOLAS

Lines of code Vulnerability details Impact In the "GovernorOLAS.sol" contract, as the comment line supports the OpenZeppelin functions are used as is. However, the inherited OpenZeppelin 4.8.3 library exposes a signature replay vulnerability due to the lack of use of nonce in the...

7AI score
Exploits0
Code423n4
Code423n4
added 2023/12/21 12:0 a.m.16 views

No access control on critical functions

Lines of code Vulnerability details The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them. Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc. Before: // No access control checks in critical functions function...

7.5AI score
Exploits0
Code423n4
Code423n4
added 2023/12/21 12:0 a.m.17 views

Signature Malleability in CultureIndex::_verifyVoteSignature function

Lines of code Vulnerability details Impact The elliptic curve used in Ethereum for signatures is symmetrical, hence for every v,r,s there exists another v,r,s that returns the same valid result. Therefore two valid signatures exist which allows attackers to compute a valid signature without knowi...

6.8AI score
Exploits0
Code423n4
Code423n4
added 2023/12/20 12:0 a.m.16 views

_safeMint() should be used rather than _mint() wherever possible

Lines of code 139, 178, 204 Vulnerability details mint is discouraged in favor of safeMint which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function. In the cases below, mint does not call...

7.1AI score
Exploits0
Code423n4
Code423n4
added 2023/12/20 12:0 a.m.10 views

_safeMint() should be used rather than _mint() wherever possible

Lines of code 139, 178, 204 Vulnerability details mint is discouraged in favor of safeMint which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function. In the cases below, mint does not call...

7.1AI score
Exploits0
vulnersOsv
vulnersOsv
added 2023/12/12 12:49 a.m.4 views

@offchainlabs/l1-l3-teleport-contracts (>=0.1.0-alpha.1 <=1.0.1) potentially affected by CVE-2023-49798 via @openzeppelin/contracts (=4.9.4)

@openzeppelin/contracts NPM version =4.9.4 is affected by a known vulnerability. The following packages have a transitive dependency on @openzeppelin/contracts and may be impacted: - @offchainlabs/l1-l3-teleport-contracts =0.1.0-alpha.1, =1.0.1 Source cves: CVE-2023-49798 Source advisory:...

7.5CVSS7.1AI score0.00543EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2023/12/12 12:49 a.m.26 views

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line. Impact Versions using Multicall from @openzeppelin/[email protected] and @openzeppelin/[email protected] will execute each subcall twice. Concretely, this exposes ...

7.5CVSS7.2AI score0.00543EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2023/12/12 12:49 a.m.15 views

GHSA-699G-Q6QH-Q4V8 OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line. Impact Versions using Multicall from @openzeppelin/[email protected] and @openzeppelin/[email protected] will execute each subcall twice. Concretely, this exposes ...

5.9CVSS7.5AI score0.00543EPSS
Exploits0References5
Code423n4
Code423n4
added 2023/12/12 12:0 a.m.9 views

Unsafe use of transfer()/transferFrom() with IERC20

Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's transfer and transferFrom functions on L1 do not return booleans as the specification...

7.3AI score
Exploits0
Code423n4
Code423n4
added 2023/12/12 12:0 a.m.13 views

Unsafe use of transfer()/transferFrom() with IERC20

Lines of code 377, 509, 491, 530, 42, 50 Vulnerability details Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether USDT's transfer and transferFrom functions on L1 do not return booleans as the specification...

7.3AI score
Exploits0
Veracode
Veracode
added 2023/12/11 8:22 a.m.14 views

Always-Incorrect Control Flow Implementation

OpenZeppelin is vulnerable to Always-Incorrect Control Flow Implementation. The vulnerability is due to the duplication of functionDelegateCall in the Multicall.sol file. This could lead to Unintended Duplicate Operations...

7.5CVSS7AI score0.00543EPSS
Exploits0References2Affected Software2
NVD
NVD
added 2023/12/09 12:15 a.m.25 views

CVE-2023-49798

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/[email protected] and @openzeppelin/[email protected], all subcalls are...

7.5CVSS0.00543EPSS
Exploits0References2
Prion
Prion
added 2023/12/09 12:15 a.m.18 views

Design/Logic Flaw

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/email protected and @openzeppelin/email protected, all subcalls are executed twice...

5CVSS7AI score0.00543EPSS
Exploits0References2Affected Software2
CNNVD
CNNVD
added 2023/12/09 12:0 a.m.5 views

OpenZeppelin Security Vulnerability

OpenZeppelin is a software application. A standard for secure blockchain applications. OpenZeppelin Contracts suffers from a security vulnerability that stems from subjecting users to unintentional duplicate operations, such as asset transfers...

7.5CVSS6.7AI score0.00543EPSS
Exploits0References3
Cvelist
Cvelist
added 2023/12/08 11:35 p.m.19 views

CVE-2023-49798 Duplicated execution of subcalls in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/[email protected] and @openzeppelin/[email protected], all subcalls are...

5.9CVSS7.7AI score0.00543EPSS
Exploits0References2
Rows per page
Query Builder