CVE-2021-41264

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

EUVD-2021-1988

Malware in sbrugna...

XVSVault implementation cannot be upgraded due to lack of proper mechanism

Lines of code Vulnerability details Summary The XVSVault is expected to be upgradeable in context of xvs staked for claim to venus prime token. The XVSVault will be updated in the Prime.sol with the initializefunction. Impact The Prime.sol cannot be upgraded as clearly mentioned in the scoping...

Lack of double step transfer in admin modification in a upgradeable contract is dangerous

Lines of code Vulnerability details Lack of double step transfer in admin modification in a upgradeable contract is dangerous Summary Double step transfer of admin / ownership should be a must in upgradeable contracts Vulnerability Detail Admin is changed with changeAdmin that calls changeAdmin,...

Pool is not initialized correctly

Lines of code Vulnerability details Impact Pool has no owner and will be un-upgradeable. Proof of Concept Pool does not provide an initialize interface to initialize the owner, so the owner will never be set. Pool as a UUPSUpgradeable can not be upgraded without a valid owner. Tools Used n/a...

[H-01] owner not set in Pool.sol

Lines of code Vulnerability details The pool.sol contract here is an UUPSUpgradeable contract. But there is no initialize function where Ownableinit is called , due to which owner is 0x0. It would be impossible to call authorizeUpgrade or change ownership of the contract. POC Adding the following...

Posible UUPSUpgradeable attack

Lines of code Vulnerability details Impact Missing implementation of the modifier Summary: initializer modifier is found in wfCashBase.sol but none of the OZ Initializable or AAVETokenV2Mintable.sol are included in wfCashBase or any of its related files. Details: I couldn’t find the modifier to b...

Privilege Escalation

openzeppelin-contracts is vulnerable to privilege escalation. Remote attackers are able to exploit vulnerable upgradeTo and upgradeToAndCall functions in UUPSUpgradeable component due to uninitialized implementation contracts...

CVE-2021-41264

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

CVE-2021-41264

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

Design/Logic Flaw

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

CVE-2021-41264

OpenZeppelin CVE-2021-41264 affects upgradeable contracts using UUPSUpgradeable due to uninitialized implementation contracts. The vulnerability is addressed in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. If upgrading is not possible, a mitigation is to initi...

CVE-2021-41264 UUPSUpgradeable vulnerability in OpenZeppelin Contracts

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

UUPSUpgradeable vulnerability in @openzeppelin/contracts

Impact Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon. Patches A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeabl...