logo

Database

Inappropriate coding practices In @openzeppelin/contracts-upgradeable

Description

UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

A post-mortem will be published in a few days in the OpenZeppelin Forum.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at [email protected].

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-q4h9-46xg-m3x92. GCVE-GHSA-q4h9-46xg-m3x9

References

1. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-q4h9-46xg-m3x9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.