Vulnerability Description
OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the `Governor` contract in v4.9.0 only, and the `GovernorCompatibilityBravo` contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openzeppelin | Contracts | >= 4.3.0, < 4.9.1 |
| Openzeppelin | Contracts Upgradeable | >= 4.3.0, < 4.9.1 |
Related Weaknesses (CWE)
References
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/d9474327a492f9f310Patch
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-Vendor Advisory
FAQ
What is CVE-2023-34234?
CVE-2023-34234 is a vulnerability with a CVSS score of 5.3 (MEDIUM). OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can...
How severe is CVE-2023-34234?
CVE-2023-34234 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34234?
Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts, Openzeppelin Contracts Upgradeable.