CVE-2022-31170 : What You Need to Know

OpenZeppelin Contracts is a library for smart contract development. A vulnerability in versions 4.0.0 to 4.7.1 allows ERC165Checker to revert instead of returning

false

, impacting integrity. Learn more about the impact, technical details, and mitigation strategies.

Understanding CVE-2022-31170

This CVE affects OpenZeppelin Contracts, specifically version range 4.0.0 to 4.7.1, introducing a critical vulnerability related to ERC165Checker's behavior.

What is CVE-2022-31170?

Version 4.0.0 to 4.7.1 of OpenZeppelin Contracts are susceptible to ERC165Checker reverting instead of returning

false

. This can occur due to an improper assumption related to Solidity 0.8's

abi.decode

functionality.

The Impact of CVE-2022-31170

The vulnerability poses a high severity risk with a CVSS base score of 7.5. It affects integrity, allowing potential attackers to exploit the flaw without requiring any privileges. The issue was discovered and reported through GitHub's security advisories.

Technical Details of CVE-2022-31170

Understanding the specific details of the vulnerability is crucial for effective mitigation and prevention.

Vulnerability Description

The issue stems from ERC165Checker's failure to conform to the expected behavior of always returning a boolean, leading to potential reverting in certain scenarios. This behavior can be triggered when interacting with contracts that do not implement EIP-165 as anticipated.

Affected Systems and Versions

OpenZeppelin Contracts versions 4.0.0 to 4.7.1 are confirmed to be impacted by this vulnerability, specifically those utilizing

ERC165Checker

for interface support validation.

Exploitation Mechanism

By leveraging the erroneous assumption regarding

abi.decode

in Solidity 0.8, threat actors can potentially trigger reverts by manipulating non-standard return values.

Mitigation and Prevention

Taking immediate action to address CVE-2022-31170 is crucial to safeguard affected systems and applications.

Immediate Steps to Take

Developers and users should ensure that they update to the patched version 4.7.1 of OpenZeppelin Contracts to mitigate the risk of exploitation. It is recommended to apply security updates promptly.

Long-Term Security Practices

Practicing secure coding principles, conducting regular security audits, and staying informed about potential vulnerabilities in dependencies are essential for long-term security.

Patching and Updates

Stay informed about security advisories and patches released by OpenZeppelin and other relevant sources to address vulnerabilities promptly.