GHSA-5h3x-9wvq-w4m2

Suggest an improvement
Source
https://github.com/advisories/GHSA-5h3x-9wvq-w4m2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-5h3x-9wvq-w4m2/GHSA-5h3x-9wvq-w4m2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5h3x-9wvq-w4m2
Aliases
Published
2023-06-08T18:03:11Z
Modified
2023-11-08T04:12:45.094367Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning
Details

Impact

By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

Patches

The problem has been patched in 4.9.1 by introducing opt-in frontrunning protection.

Workarounds

Submit the proposal creation transaction to an endpoint with frontrunning protection.

Credit

Reported by Lior Abadi and Joaquin Pereyra from Coinspect.

References

https://www.coinspect.com/openzeppelin-governor-dos/

References

Affected packages

npm / @openzeppelin/contracts

Package

Name
@openzeppelin/contracts
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts

Affected ranges

Type
SEMVER
Events
Introduced
4.3.0
Fixed
4.9.1

npm / @openzeppelin/contracts-upgradeable

Package

Name
@openzeppelin/contracts-upgradeable
View open source insights on deps.dev
Purl
pkg:npm/%40openzeppelin/contracts-upgradeable

Affected ranges

Type
SEMVER
Events
Introduced
4.3.0
Fixed
4.9.1