Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01aDN4LTl3dnEtdzRtMs4AAzvg
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
Impact
By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.
This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.
Patches
The problem has been patched in 4.9.1 by introducing opt-in frontrunning protection.
Workarounds
Submit the proposal creation transaction to an endpoint with frontrunning protection.
Credit
Reported by Lior Abadi and Joaquin Pereyra from Coinspect.
References
https://www.coinspect.com/openzeppelin-governor-dos/
Permalink: https://github.com/advisories/GHSA-5h3x-9wvq-w4m2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01aDN4LTl3dnEtdzRtMs4AAzvg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 5 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-5h3x-9wvq-w4m2, CVE-2023-34234
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5h3x-9wvq-w4m2
- https://nvd.nist.gov/vuln/detail/CVE-2023-34234
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310f31bc53f38dbea56ed9a57
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.1
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/66f390fa516b550838e2c2f65132b5bc2afe1ced
- https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
Blast Radius: 24.1
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 596,544 last month
Affected Version Ranges: >= 4.3.0, < 4.9.1
Fixed in: 4.9.1
All affected versions: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2
npm:@openzeppelin/contracts
Dependent packages: 3,207Dependent repositories: 34,743
Downloads: 1,542,151 last month
Affected Version Ranges: >= 4.3.0, < 4.9.1
Fixed in: 4.9.1
All affected versions: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0
All unaffected versions: 2.3.0, 2.4.0, 2.5.0, 2.5.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.0.0, 4.1.0, 4.2.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2