logo

Database

Inappropriate coding practices In contracts-upgradeable

Description

UUPSUpgradeable vulnerability in @openzeppelin/contracts

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.

Patches

A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.

Workarounds

Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.

References

Post-mortem.

For more information

If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at [email protected].

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-412642. NVD-2021-412643. OSV-2021-412644. GHSA-5vp3-v4hc-gx765. GCVE-2021-412646. GHSA-5vp3-v4hc-gx76

References

1. https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df605922. https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/153013. https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.