🚨 [security] Update @openzeppelin/contracts: 4.6.0 → 4.7.3 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​openzeppelin/contracts (4.6.0 → 4.7.3) · Repo · Changelog

Security Advisories 🚨

🚨 OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals

Impact

This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirement, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue.

Patches

This issue has been patched in v4.7.2.

Workarounds

Avoid lowering quorum requirements if a past proposal was defeated for lack of quorum.

References

#3561

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

🚨 OpenZeppelin Contracts vulnerable to ECDSA signature malleability

Impact

The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single bytes argument, and not the functions that take r, v, s or r, vs as separate arguments.

The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection.

Patches

The issue has been patched in 4.7.3.

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

🚨 OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls

Impact

Contracts using the cross chain utilies for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This is assessed as low severity because any action taken by an EOA on the contract could also be taken by the EOA through the bridge if the issue was not present.

Patches

This issue has been patched in v4.7.2.

References

#3578

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

🚨 OpenZeppelin Contracts ERC165Checker unbounded gas consumption

Impact

The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.

Patches

The issue has been fixed in v4.7.2.

References

#3587

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

🚨 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers

Impact

SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

Patches

The issue was patched in 4.7.1.

References

#3552

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

🚨 OpenZeppelin Contracts's ERC165Checker may revert instead of returning false

Impact

ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

Patches

The issue was patched in 4.7.1.

References

#3552

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

Release Notes

4.7.3

⚠️ This is a patch for a high severity issue. For more information visit the security advisory.

Breaking changes

• ECDSA: recover(bytes32,bytes) and tryRecover(bytes32,bytes) no longer accept compact signatures to prevent malleability. Compact signature support remains available using recover(bytes32,bytes32,bytes32) and tryRecover(bytes32,bytes32,bytes32).

4.7.2

⚠️ This is a patch for three issues, including a high severity issue in GovernorVotesQuorumFraction. For more information visit the security advisories (1, 2, 3).

1. GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
2. ERC165Checker: Added protection against large returndata. (#3587)
3. LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)

4.7.1

⚠️ This is a patch for a medium severity issue affecting SignatureChecker and a high severity issue affecting ERC165Checker. For more information visit the security advisories (1, 2).

• SignatureChecker: Fix an issue that causes isValidSignatureNow to revert when the target contract returns ill-encoded data. (#3552)
• ERC165Checker: Fix an issue that causes supportsInterface to revert when the target contract returns ill-encoded data. (#3552)

4.7.0

• TimelockController: Migrate _call to _execute and allow inheritance and overriding similar to Governor. (#3317)
• CrossChainEnabledPolygonChild: replace the require statement with the custom error NotCrossChainCall. (#3380)
• ERC20FlashMint: Add customizable flash fee receiver. (#3327)
• ERC4626: add an extension of ERC20 that implements the ERC4626 Tokenized Vault Standard. (#3171)
• SafeERC20: add safePermit as mitigation against phantom permit functions. (#3280)
• Math: add a mulDiv function that can round the result either up or down. (#3171)
• Math: Add a sqrt function to compute square roots of integers, rounding either up or down. (#3242)
• Strings: add a new overloaded function toHexString that converts an address with fixed length of 20 bytes to its not checksummed ASCII string hexadecimal representation. (#3403)
• EnumerableMap: add new UintToUintMap map type. (#3338)
• EnumerableMap: add new Bytes32ToUintMap map type. (#3416)
• SafeCast: add support for many more types, using procedural code generation. (#3245)
• MerkleProof: add multiProofVerify to prove multiple values are part of a Merkle tree. (#3276)
• MerkleProof: add calldata versions of the functions to avoid copying input arrays to memory and save gas. (#3200)
• ERC721, ERC1155: simplified revert reasons. (#3254, (#3438))
• ERC721: removed redundant require statement. (#3434)
• PaymentSplitter: add releasable getters. (#3350)
• Initializable: refactored implementation of modifiers for easier understanding. (#3450)
• Proxies: remove runtime check of ERC1967 storage slots. (#3455)

Breaking changes

• Initializable: functions decorated with the modifier reinitializer(1) may no longer invoke each other.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
amazon-blockchain	✅ Ready (Inspect)	Visit Preview	Aug 12, 2022 at 2:13AM (UTC)

[netlify[bot]]

✅ Deploy Preview for amazon-blockchain ready!

Name	Link
🔨 Latest commit	55b1741d95920e9ef7c3ff3d65509543f2130231
🔍 Latest deploy log	https://app.netlify.com/sites/amazon-blockchain/deploys/62f5b68f6e0f09000a851bf4
😎 Deploy Preview	https://deploy-preview-50--amazon-blockchain.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[depfu[bot]]

Closed in favor of #59.

[depfu[bot]]

Closed in favor of #59.