OpenZeppelin Contracts's ERC165Checker may revert instead of returning false
Description
OpenZeppelin Contracts is a library for smart contract development. Versions 4.0.0 until 4.7.1 are vulnerable to ERC165Checker reverting instead of returning false. ERC165Checker.supportsInterface is designed to always successfully return a boolean, and under no circumstance revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-165 as expected, specifically if it returns a value other than 0 or 1. The contracts that may be affected are those that use ERC165Checker to check for support for an interface and then handle the lack of support in a way other than reverting. The issue was patched in version 4.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts ERC165Checker.supportsInterface may revert instead of returning false when target returns non-boolean values, breaking expected behavior.
Vulnerability
Overview
CVE-2022-31170 affects OpenZeppelin Contracts versions 4.0.0 through 4.7.1. The ERC165Checker.supportsInterface function is designed to always return a boolean value without reverting. However, due to an incorrect assumption about Solidity 0.8's abi.decode behavior, the function can revert if the target contract returns a value other than 0 or 1 when queried for interface support [1][4]. This violates the expected contract of the function.
Exploitation
Conditions
An attacker can trigger this revert by deploying a contract that does not properly implement EIP-165—specifically, one that returns a non-standard value (not 0 or 1) from supportsInterface. Any contract that uses ERC165Checker to check for interface support and then handles the lack of support in a way other than reverting (e.g., by branching on the boolean result) is vulnerable. No special authentication or network position is required; the attacker only needs to interact with the affected contract via a malicious target [1][3].
Impact
Instead of gracefully returning false when an interface is not supported, the call reverts. This can cause denial-of-service conditions in contracts that rely on the boolean return value for control flow, potentially locking funds or breaking critical logic. The impact is limited to contracts that do not revert on missing interface support, but it can be severe in systems where such checks are used for access control or feature detection [4].
Mitigation
The issue is patched in OpenZeppelin Contracts version 4.7.1. Users should upgrade to this version or later. No workaround is provided; upgrading is the recommended action [1][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.0.0, < 4.7.1 | 4.7.1 |
@openzeppelin/contracts-upgradeablenpm | >= 4.0.0, < 4.7.1 | 4.7.1 |
Affected products
3- ghsa-coords2 versions
>= 4.0.0, < 4.7.1+ 1 more
- (no CPE)range: >= 4.0.0, < 4.7.1
- (no CPE)range: >= 4.0.0, < 4.7.1
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.0.0, < 4.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qh9x-gcfh-pcrwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31170ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3552ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-qh9x-gcfh-pcrwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.