28 matches found
Design/Logic Flaw
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...
CVE-2022-31170 OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning false. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an...
CVE-2022-31172 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...
CVE-2022-31172
OpenZeppelin Contracts (library) is affected by CVE-2022-31172 in versions 4.1.0–4.7.1, where SignatureChecker.isValidSignatureNow may revert due to an incorrect assumption about Solidity 0.8 ABI decoding, especially when a target contract does not implement EIP-1271 as expected. The vulnerabilit...
CVE-2022-31153
OpenZeppelin Contracts for Cairo (v0.2.0) contains a bug that renders account contracts unusable on live networks. The issue affects all accounts (vanilla and Ethereum flavors) in the v0.2.0 release and only Goerli deployments are affected; StarkNet’s testing framework does not exhibit the faulty...
CVE-2021-41264
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...
CVE-2021-41264
OpenZeppelin CVE-2021-41264 affects upgradeable contracts using UUPSUpgradeable due to uninitialized implementation contracts. The vulnerability is addressed in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. If upgrading is not possible, a mitigation is to initi...
Code injection
OpenZepplin is a library for smart contract development. In affected versions a vulnerability in TimelockController allowed an actor with the executor role to escalate privileges. Further details about the vulnerability will be disclosed at a later date. As a workaround revoke the executor role...