search

synapsecns / sanguine

Synapse Monorepo
MIT License
43 stars 31 forks source link

fix(deps): update dependency @openzeppelin/contracts-upgradeable to v4.9.6 [security] #3236

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@openzeppelin/contracts-upgradeable (source) 4.9.3 -> 4.9.6 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-31170

Impact

ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1.

The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting.

Patches

The issue was patched in 4.7.1.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

CVE-2022-31172

Impact

SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.

The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.

Patches

The issue was patched in 4.7.1.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

CVE-2022-35915

Impact

The target contract of an EIP-165 supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.

Patches

The issue has been fixed in v4.7.2.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3587

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

CVE-2022-35916

Impact

Contracts using the cross chain utilies for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This is assessed as low severity because any action taken by an EOA on the contract could also be taken by the EOA through the bridge if the issue was not present.

Patches

This issue has been patched in v4.7.2.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

CVE-2022-31198

Impact

This issue concerns instances of Governor that use the module GovernorVotesQuorumFraction, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirement, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement.

Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue.

Patches

This issue has been patched in v4.7.2.

Workarounds

Avoid lowering quorum requirements if a past proposal was defeated for lack of quorum.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561

For more information

If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.

CVE-2022-35961

Impact

The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single bytes argument, and not the functions that take r, v, s or r, vs as separate arguments.

The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection.

Patches

The issue has been patched in 4.7.3.

For more information

If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at security@openzeppelin.com.

CVE-2023-30541

Impact

A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

The probability of an accidental clash is negligible, but one could be caused deliberately.

Patches

The issue has been fixed in v4.8.3.

Workarounds

If a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154

CVE-2023-30542

Impact

The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata.

Patches

This issue has been patched in v4.8.3.

Workarounds

Ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.

CVE-2023-34234

Impact

By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

Patches

The problem has been patched in 4.9.1 by introducing opt-in frontrunning protection.

Workarounds

Submit the proposal creation transaction to an endpoint with frontrunning protection.

Credit

Reported by Lior Abadi and Joaquin Pereyra from Coinspect.

References

https://www.coinspect.com/openzeppelin-governor-dos/

CVE-2023-40014

Impact

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using ERC2771Context along with a custom trusted forwarder may see _msgSender return address(0) in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for MinimalForwarder from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders.

Patches

The problem has been patched in v4.9.3.

CVE-2024-27094

Impact

The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer.

Although the encode function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios:

Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker.

Patches

Upgrade to 5.0.2 or 4.9.6.

References

This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@​rileyholterhus on X)

Release Notes

OpenZeppelin/openzeppelin-contracts-upgradeable (@​openzeppelin/contracts-upgradeable) ### [`v4.9.6`](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/HEAD/CHANGELOG.md#496-2024-02-29) [Compare Source](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/compare/v4.9.5...v4.9.6) - `Base64`: Fix issue where dirty memory located just after the input buffer is affecting the result. ([#​4929](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/4929)) ### [`v4.9.5`](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/releases/tag/v4.9.5) [Compare Source](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/compare/v4.9.4...v4.9.5) - `Multicall`: Patch duplicated `Address.functionDelegateCall`. ### [`v4.9.4`](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/releases/tag/v4.9.4) [Compare Source](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/compare/v4.9.3...v4.9.4) - `ERC2771Context` and `Context`: Introduce a `_contextPrefixLength()` getter, used to trim extra information appended to `msg.data`. - `Multicall`: Make aware of non-canonical context (i.e. `msg.sender` is not `_msgSender()`), allowing compatibility with `ERC2771Context`.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.

cloudflare-workers-and-pages[bot] commented 1 month ago

Deploying sanguine-fe with  Cloudflare Pages  Cloudflare Pages

Latest commit: be2681c
Status: ✅  Deploy successful!
Preview URL: https://0cc79482.sanguine-fe.pages.dev
Branch Preview URL: https://renovate-contracts-core-npm-t90m.sanguine-fe.pages.dev

View logs

coderabbitai[bot] commented 1 month ago

[!IMPORTANT]

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips ### Chat There are 3 ways to chat with [CodeRabbit](https://coderabbit.ai): - Review comments: Directly reply to a review comment made by CodeRabbit. Example: - `I pushed a fix in commit , please review it.` - `Generate unit testing code for this file.` - `Open a follow-up GitHub issue for this discussion.` - Files and specific lines of code (under the "Files changed" tab): Tag `@coderabbitai` in a new review comment at the desired location with your query. Examples: - `@coderabbitai generate unit testing code for this file.` - `@coderabbitai modularize this function.` - PR comments: Tag `@coderabbitai` in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples: - `@coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.` - `@coderabbitai read src/utils.ts and generate unit testing code.` - `@coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.` - `@coderabbitai help me debug CodeRabbit configuration file.` Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. ### CodeRabbit Commands (Invoked using PR comments) - `@coderabbitai pause` to pause the reviews on a PR. - `@coderabbitai resume` to resume the paused reviews. - `@coderabbitai review` to trigger an incremental review. This is useful when automatic reviews are disabled for the repository. - `@coderabbitai full review` to do a full review from scratch and review all the files again. - `@coderabbitai summary` to regenerate the summary of the PR. - `@coderabbitai resolve` resolve all the CodeRabbit review comments. - `@coderabbitai configuration` to show the current CodeRabbit configuration for the repository. - `@coderabbitai help` to get help. ### Other keywords and placeholders - Add `@coderabbitai ignore` anywhere in the PR description to prevent this PR from being reviewed. - Add `@coderabbitai summary` to generate the high-level summary at a specific location in the PR description. - Add `@coderabbitai` anywhere in the PR title to generate the title automatically. ### Documentation and Community - Visit our [Documentation](https://coderabbit.ai/docs) for detailed information on how to use CodeRabbit. - Join our [Discord Community](http://discord.gg/coderabbit) to get help, request features, and share feedback. - Follow us on [X/Twitter](https://twitter.com/coderabbitai) for updates and announcements.
codecov[bot] commented 1 month ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 93.10658%. Comparing base (ed49b1b) to head (be2681c). Report is 6 commits behind head on master.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #3236 +/- ## =================================================== + Coverage 90.43902% 93.10658% +2.66755% =================================================== Files 54 89 +35 Lines 1025 2205 +1180 Branches 82 278 +196 =================================================== + Hits 927 2053 +1126 - Misses 95 143 +48 - Partials 3 9 +6 ``` | [Flag](https://app.codecov.io/gh/synapsecns/sanguine/pull/3236/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=synapsecns) | Coverage Δ | | |---|---|---| | [packages](https://app.codecov.io/gh/synapsecns/sanguine/pull/3236/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=synapsecns) | `90.43902% <ø> (ø)` | | | [solidity](https://app.codecov.io/gh/synapsecns/sanguine/pull/3236/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=synapsecns) | `95.42373% <ø> (?)` | | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=synapsecns#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

renovate[bot] commented 1 month ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (4.9.6). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.