CVE-2021-46320 : What You Need to Know
Learn about CVE-2021-46320 affecting OpenZeppelin <=v4.4.0. Understand the vulnerability allowing reentry of initializer functions and how to mitigate the risk.
OpenZeppelin <=v4.4.0 is affected by a vulnerability where initializer functions may be reentered if an untrusted non-view external call is made, potentially allowing reentrancy and breaking the expected single execution.
Understanding CVE-2021-46320
What is CVE-2021-46320?
In OpenZeppelin <=v4.4.0, a vulnerability allows for reentry of initializer functions due to support for multiple inheritance, leading to unexpected reexecution.
The Impact of CVE-2021-46320
This vulnerability could be exploited to perform reentrancy attacks, enabling unexpected multiple executions of initializer functions.
Technical Details of CVE-2021-46320
Vulnerability Description
The vulnerability in OpenZeppelin <=v4.4.0 allows for reentry of initializer functions, contrary to the expected behavior of single execution.
Affected Systems and Versions
- Product: not applicable
- Vendor: not applicable
- Version: not applicable
Exploitation Mechanism
The vulnerability occurs when untrusted non-view external calls trigger reentrancy on initializer functions, permitting multiple executions.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to a version higher than v4.4.0 to address the vulnerability.
- Review and secure all external calls to prevent reentrancy exploits.
Long-Term Security Practices
- Conduct regular security assessments and audits of smart contracts.
- Follow secure coding practices and emphasize avoiding reentrancy vulnerabilities.
Patching and Updates
Apply the latest patches and updates provided by OpenZeppelin to mitigate the CVE-2021-46320 vulnerability.