CVE-2022-39384 OpenZeppelin Contracts initializer reentrancy may lead to double initialization

OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation the most prominent example being minimal proxies may be reentered if they make an untrusted non-view external cal...

CVE-2022-39384

OpenZeppelin Contracts (3.2.0–4.4.1) contain an initializer reentrancy issue caused by an exception used to support multiple inheritance, allowing reentry when an untrusted non-view external call is made during initialization. The impact is described as minor since upgradeable proxies are usually...

Upgraded Q -> M from 42 [1666367610163]

Judge has assessed an item in Issue 42 as Medium risk. The relevant finding follows: Permit signature replay across forks Details: GolomTrader.sol defines chainId at contract deployment without reconstructing it for every signature. However, as stated in the security considerations section of...

4337-snap (>=0.1.0 <=0.1.1), @0xabcdefg/smart-order-router (>=1.0.0 <=1.0.5) +1243 more potentially affected by CVE-2022-31198 via @openzeppelin/contracts (>=4.3.0 <=4.7.1)

@openzeppelin/contracts NPM version =4.3.0, =0.1.0, =1.0.0, =1.0.0, =3.24.7, =1.7.2, =1.0.0, =0.2.0, =4.14.3, =1.0.2, =4.0.0, =4.0.1, =2.0.0, =3.1.0 and more Source cves: CVE-2022-31198 Source advisory: OSV:GHSA-XRC4-737V-9Q75...

GHSA-XRC4-737V-9Q75 OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals

Impact This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirement, past proposals ma...

CVE-2022-35961

OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...

Format string

OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...

GHSA-9J3M-G383-29QR OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls

Impact Contracts using the cross chain utilies for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts EOAs as cross chain calls, even though they are not started on L1. This is assessed as low severity because any action taken...

OpenZeppelin Contracts ERC165Checker unbounded gas consumption

Impact The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. Patches The issue has been fixed in v4.7.2. References...

0x-hunter-core (>=1.0.0-33 <=1.0.0-38), 1155-to-20 (>=1.0.0 <=1.0.2) +3062 more potentially affected by CVE-2022-35915 via @openzeppelin/contracts (>=2.3.0 <=4.7.1)

@openzeppelin/contracts NPM version =2.3.0, =1.0.0-33, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =1.9.1, =3.24.7, =1.7.2, =3.10.3, =0.0.2, =1.4.1, =1.0.0, =1.12.0 - @0xkkkkkkkkkkkkkkk/dodo =2.0.1 and more Source cves: CVE-2022-35915 Source advisory: OSV:GHSA-7GRF-83VW-6F5X...

CVE-2022-35961

OpenZeppelin Contracts (ECDSA.recover and ECDSA.tryRecover) suffer signature malleability due to acceptance of EIP-2098 compact signatures in the single-bytes variants (not when using r, v, s or r, vs). This could allow a reused/double-submitted signature to bypass replay protection in contracts ...

CVE-2022-35961 ECDSA signature malleability in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...

CVE-2022-35961 ECDSA signature malleability in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...

CVE-2022-35961 ECDSA signature malleability in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for secure smart contract development. The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issu...

Business Logic Flaws

OpenZeppelin Contracts has business logic flaws. The vulnerability exists due to a lack of sanitization between cross chains allowing contracts using Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2 to be classified as direct interactions of externally owned accounts EOAs even though the...

Business Logic Flaws

OpenZeppelin Contracts has business logic flaw. The vulnerability exists due to a lack of sanitization of past quorum allowing it to be executable when a new quorum meets the smart contract's requirement...

CVE-2022-35915

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in...

CVE-2022-35916

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts EOAs as cross chain calls, even though they are not...

Cross site scripting

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts EOAs as cross chain calls, even though they are not...

CVE-2022-35915 Unbounded gas consumption in @openzeppelin/contracts

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in...