vercel[bot]
commented
1 year ago Deployment failed with the following error:
Resource is limited - try again in 1 hour (more than 100, code: "api-deployments-free-per-day").Closed renovate[bot] closed 1 year ago
vercel[bot]
commented
1 year ago Deployment failed with the following error:
Resource is limited - try again in 1 hour (more than 100, code: "api-deployments-free-per-day").
changeset-bot[bot]
commented
1 year ago Latest commit: 6f469a1535ac790be315f8106a8412b3de56eb83
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
socket-security[bot]
commented
1 year ago New and updated dependency changes detected. Learn more about Socket for GitHub ↗︎
| Packages | Version | New capabilities | Transitives^1 | Size | Publisher | |
|---|---|---|---|---|---|---|
| @openzeppelin/contracts-upgradeable | ⬆️ | 4.9.1...4.9.2 | None | +0/-0 |
2.11 MB | frangio |
This PR contains the following updates:
4.9.1->4.9.2GitHub Vulnerability Alerts
CVE-2023-34459
Impact
When the
verifyMultiProof,verifyMultiProofCalldata,processMultiProof, orprocessMultiProofCalldatafunctions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertently for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.
A contract is not vulnerable if it uses single-leaf proving (
verify,verifyCalldata,processProof, orprocessProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.Patches
The problem has been patched in 4.9.2.
Workarounds
If you are using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.
Release Notes
OpenZeppelin/openzeppelin-contracts-upgradeable
### [`v4.9.2`](https://togithub.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/HEAD/CHANGELOG.md#492-2023-06-16) [Compare Source](https://togithub.com/OpenZeppelin/openzeppelin-contracts-upgradeable/compare/v4.9.1...v4.9.2) - `MerkleProof`: Fix a bug in `processMultiProof` and `processMultiProofCalldata` that allows proving arbitrary leaves if the tree contains a node with value 0 at depth 1.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.