logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-7j52-6fjp-58gr @openzeppelin/contracts-upgradeable

Package

Manager: npm
Name: @openzeppelin/contracts-upgradeable
Vulnerable Version: >=4.0.0 <4.3.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Inconsistent storage layout for ERC2771ContextUpgradeable ### Impact The storage layout of the ERC2771ContextUpgradeable is not constant between versions. - versions `4.0.0`, `4.1.0` and `4.2.0`, the contract has a length of 51 slots. - since `4.3.0`, the contract has a length of 50 slots - future versions will continue using 50 slots. This difference in layout could result in breaking upgrades if someone upgrades from an affected version to a non-affected version. It is thus recommended to be extremely careful when upgrading from a contract that uses ERC2771ContextUpgradeable `<4.3.0` to a newer version that uses `>=4.3.0`. We've assessed the instances of this contract found on chain (with publicly verified source code) and notified the corresponding teams of the risk that an upgrade could cause. ### Workarounds Potentially breaking upgrades would be caught by the OpenZeppelin Upgrades Plugins for Hardhat and Truffle. It is recommended to use this tooling for all your upgrades. If you need to upgrade to a newer version of the Upgradeable Contracts library, we recommend copying the previous implementation ERC2771ContextUpgradeable (available in the `release-4.2` branch) and packaging it with your code. ### Reference https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86 ### For more information If you have any questions, comments, or need assistance regarding this advisory, email us at [security@openzeppelin.com](mailto:security@openzeppelin.com). To submit security reports please use [our bug bounty on Immunefi](https://immunefi.com/bounty/openzeppelin/).

Metadata

Created: 2022-03-14T23:22:27Z
Modified: 2022-03-14T23:22:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-7j52-6fjp-58gr/GHSA-7j52-6fjp-58gr.json
CWE IDs: []
Alternative ID: N/A
Finding: F079
Auto approve: 1