Headline
GHSA-7grf-83vw-6f5x: OpenZeppelin Contracts ERC165Checker unbounded gas consumption
Impact
The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.
Patches
The issue has been fixed in v4.7.2.
References
https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587
For more information
If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [email protected].
Package
npm @openzeppelin/contracts (npm)
Affected versions
>= 2.0.0, < 4.7.2
Patched versions
4.7.2
npm @openzeppelin/contracts-upgradeable (npm)
>= 3.2.0, < 4.7.2
4.7.2
npm openzeppelin-eth (npm)
>= 2.0.0, <= 2.2.0
None
npm openzeppelin-solidity (npm)
>= 2.0.0, <= 4.6.0
None
Description
Impact
The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.
Patches
The issue has been fixed in v4.7.2.
References
OpenZeppelin/openzeppelin-contracts#3587
For more information
If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [email protected].
References
- GHSA-7grf-83vw-6f5x
- https://nvd.nist.gov/vuln/detail/CVE-2022-35915
- OpenZeppelin/openzeppelin-contracts#3587
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2
frangio published the maintainer security advisory
Jul 28, 2022
Related news
OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.