Learn about CVE-2022-31172 affecting OpenZeppelin Contracts versions 4.1.0 to 4.7.1. High severity issue with a CVSS base score of 7.5. Find mitigation steps here.
OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
Understanding CVE-2022-31172
This vulnerability affects the OpenZeppelin Contracts library versions between 4.1.0 and 4.7.1, leading to potential issues with SignatureChecker reverting.
What is CVE-2022-31172?
OpenZeppelin Contracts, a smart contract development library, experienced a vulnerability in versions 4.1.0 to 4.7.1. The issue allowed for the SignatureChecker to revert on invalid EIP-1271 signers.
The Impact of CVE-2022-31172
The vulnerability poses a high severity risk with a CVSS base score of 7.5. Due to an incorrect assumption about Solidity 0.8's
abi.decode
, certain contracts may experience reversion when handling invalid signatures.
Technical Details of CVE-2022-31172
This section dives into the specifics of the vulnerability, including its description, affected systems, and exploitation mechanism.
Vulnerability Description
The vulnerability in OpenZeppelin Contracts arises from a flaw in the SignatureChecker component, leading to unexpected reverting under certain conditions.
Affected Systems and Versions
Versions between 4.1.0 and 4.7.1 of the OpenZeppelin Contracts library are impacted by this vulnerability.
Exploitation Mechanism
A target contract that fails to implement EIP-1271 as expected could trigger the SignatureChecker to revert, causing potential disruptions.
Mitigation and Prevention
To address CVE-2022-31172, immediate actions and long-term security practices need to be implemented.
Immediate Steps to Take
Developers are advised to update their OpenZeppelin Contracts library to version 4.7.1 or newer to mitigate the vulnerability effectively.
Long-Term Security Practices
Ensure thorough input validation and adhere to best practices for smart contract development to prevent similar vulnerabilities in the future.
Patching and Updates
Regularly monitor for security advisories and apply patches promptly to keep systems secure.