UUPSUpgradeable vulnerability in @openzeppelin/contracts
Critical severity
GitHub Reviewed
Published
Sep 14, 2021
in
OpenZeppelin/openzeppelin-contracts
•
Updated Jan 28, 2023
Description
Reviewed
Sep 14, 2021
Published to the GitHub Advisory Database
Sep 15, 2021
Published by the National Vulnerability Database
Nov 12, 2021
Last updated
Jan 28, 2023
Impact
Upgradeable contracts using
UUPSUpgradeable
may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.Patches
A fix is included in version 4.3.2 of
@openzeppelin/contracts
and@openzeppelin/contracts-upgradeable
.Workarounds
Initialize implementation contracts using
UUPSUpgradeable
by invoking the initializer function (usually calledinitialize
). An example is provided in the forum.References
Post-mortem.
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.
References