Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ajUyLTZmanAtNThncs0ynA
Inconsistent storage layout for ERC2771ContextUpgradeable
Impact
The storage layout of the ERC2771ContextUpgradeable is not constant between versions.
- versions
4.0.0,4.1.0and4.2.0, the contract has a length of 51 slots. - since
4.3.0, the contract has a length of 50 slots - future versions will continue using 50 slots.
This difference in layout could result in breaking upgrades if someone upgrades from an affected version to a non-affected version. It is thus recommended to be extremely careful when upgrading from a contract that uses ERC2771ContextUpgradeable <4.3.0 to a newer version that uses >=4.3.0.
We've assessed the instances of this contract found on chain (with publicly verified source code) and notified the corresponding teams of the risk that an upgrade could cause.
Workarounds
Potentially breaking upgrades would be caught by the OpenZeppelin Upgrades Plugins for Hardhat and Truffle. It is recommended to use this tooling for all your upgrades.
If you need to upgrade to a newer version of the Upgradeable Contracts library, we recommend copying the previous implementation ERC2771ContextUpgradeable (available in the release-4.2 branch) and packaging it with your code.
Reference
https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86
For more information
If you have any questions, comments, or need assistance regarding this advisory, email us at [email protected].
To submit security reports please use our bug bounty on Immunefi.
Permalink: https://github.com/advisories/GHSA-7j52-6fjp-58grJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ajUyLTZmanAtNThncs0ynA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-7j52-6fjp-58gr
References:
- https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-7j52-6fjp-58gr
- https://github.com/OpenZeppelin/openzeppelin-transpiler/pull/86
- https://github.com/advisories/GHSA-7j52-6fjp-58gr
Blast Radius: 0.0
Affected Packages
npm:@openzeppelin/contracts-upgradeable
Dependent packages: 853Dependent repositories: 4,919
Downloads: 565,440 last month
Affected Version Ranges: >= 4.0.0, < 4.3.0
Fixed in: 4.3.0
All affected versions: 4.0.0, 4.1.0, 4.2.0
All unaffected versions: 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 5.0.0, 5.0.1, 5.0.2