onlyProxy MODIFIER CAN BE BYPASSED BY A MALICIOUS PROXY CONTRACT AND CAN PUSH THE IMPLEMENTATION CONTRACT INTO AN UNDESIRABLE STATE

Lines of code Vulnerability details Impact The Upgradeable.onlyProxy modifier is used to ensure that a function can only be called by the proxy and can not be directly called in the Upgradeable.sol contract. The onlyProxy modifier implementation is as follows: modifier onlyProxy // Prevent setup...

Anyone Can selfdestruct The VaultProxy Contract.

Lines of code Vulnerability details Vulnerability Details -Since the initialise function is missing initializer modifier as it's inteded to be not protected as per ETHx smart contract functions documentation , And Since VaultFactory contract doesn't initialize the VaultProxy upon its initializati...

SUSE CVE-2010-3708

The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform aka JBoss EAP or JBEAP 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted...

Spring Modulith 0.3 released

Hot on the heels of Spring Boot 3.0.2, I am excited to announce the 0.3 release of Spring Modulith. The release is packed with improvements. We have tweaked a couple of things that might require your attention and a couple of adapting changes to your code. The most notable changes are: GH-114 – W...

Update initializer library to prevent reentrancy during initialization

Lines of code Vulnerability details Since proxied contracts do not make use of a constructor, it's common to move constructor logic to an external initializer function, usually called initialize. It then becomes necessary to protect this initializer function so it can only be called once. The...

Authorization Bypass

OpenZeppelin Contracts is vulnerable to authentication bypass. The vulnerability exists because initializer modifier is not properly handled which allows an attacker to cause reentrancy by executing an external call to an untrusted address...

CVE-2022-39384 OpenZeppelin Contracts initializer reentrancy may lead to double initialization

OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external cal...

Openzeppelin contracts with critical and high vulnerabilities can be installed and used

Lines of code Vulnerability details Impact Currently, @openzeppelin/contracts and @openzeppelin/contracts-upgradeable versions are set as follows. "@openzeppelin/contracts": "^4.1.0", "@openzeppelin/contracts-upgradeable": "^4.1.0", For the specified version, there are some critical and high...

Update initializer modifier to prevent reentrancy during initialization

Lines of code Vulnerability details Impact The solution uses: "@openzeppelin/contracts": "^4.0.0", "@openzeppelin/contracts-upgradeable": "^4.3.2", These dependencies have a known high severity vulnerability: Which makes these contracts vulnerable: contracts/helpers/CryptoPunksHelper.sol: 19:...

[WP-H0] Wrong implementation of EIP712MetaTransaction

Lines of code Vulnerability details 1. EIP712MetaTransaction is a utils contract that intended to be inherited by concrete actual contracts, therefore. it's initializer function should not use the initializer modifier, instead, it should use onlyInitializing modifier. See the implementation of...

Privilege Escalation

openzeppelin/contracts is vulnerable to privilege escalation. The vulnerability exists due to the lack of sanitization in the initializer function which allowed an actor with executor role to escalate privileges...

Improper Initialization in OpenZeppelin

In OpenZeppelin =v4.4.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an...

CVE-2021-46320

In OpenZeppelin =v4.4.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an...

Code injection

In OpenZeppelin =v4.4.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an...

CVE-2021-46320

Concretely documented in OpenZeppelin advisories: OpenZeppelin Contracts (and upgradeable variants)

CVE-2021-46320

In OpenZeppelin =v4.4.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an...

OpenZeppelin 安全漏洞

OpenZeppelin is a software application. A standard for secure blockchain applications. A security vulnerability exists in OpenZeppelin =v4.4.0 that stems from initializer functions that are called separately from contract creation the most notable example being minimal proxies and can be re-enter...

GHSA-9C22-PWXW-P6HX OpenZeppelin Contracts initializer reentrancy may lead to double initialization

Impact Initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed. However, an exception put in plac...

PT-2021-24346 · Openzeppelin · Openzeppelin Contracts

Name of the Vulnerable Software and Affected Versions: OpenZeppelin Contracts versions 3.2.0 through 4.4.0 Description: The issue concerns initializer functions that are invoked separate from contract creation, such as minimal proxies, which may be reentered if they make an untrusted non-view...

The vulnerability of the `parser_parse_object_initializer` function in the `js-parser-expr.c` component of the JavaScript framework for Internet of Things, JerryScript, and the IoT.js platform, arises due to the insufficient use of the `assert()` function. This allows attackers to trigger a service failure.

The vulnerability of the parserparseobjectinitializer function in the js-parser-expr.c component of the JavaScript framework for Internet of Things technology, JerryScript, and the IoT.js platform is related to the insufficient use of the assert function. Exploiting this vulnerability could allow...