GovernorCompatibilityBravo may trim proposal calldata
Description
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (propose) in GovernorCompatibilityBravo allows the creation of proposals with a signatures array shorter than the calldatas array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The ProposalCreated event correctly represents what will eventually execute, but the proposal parameters as queried through getActions appear to respect the original intended calldata. This issue has been patched in 4.8.3. As a workaround, ensure that all proposals that pass through governance have equal length signatures and calldatas parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts GovernorCompatibilityBravo's `propose` function mismatches signature and calldata array lengths, leading to skipped calldata.
Vulnerability
Description
CVE-2023-30542 is an input validation flaw in the GovernorCompatibilityBravo module of OpenZeppelin Contracts, a library for secure smart contract development. The propose function, which creates governance proposals, fails to enforce that the lengths of the signatures and calldatas arrays are equal [1]. This discrepancy arises because the internal logic iterates over the signatures array to build the final calldata, so when signatures is shorter, the extra elements in calldatas are simply ignored [3].
Attack
Surface and Exploitation
The issue can be triggered by submitting a proposal where the signatures array contains fewer entries than the calldatas array. The ProposalCreated event correctly reflects only the actions that will actually execute, which may mislead off-chain observers. However, when the proposal's actions are later queried via getActions, the returned parameters still show the originally intended calldata, creating a mismatch between what is expected and what executes [1]. An attacker could craft such a proposal, and if it passes governance, the extra actions would execute with no calldata, potentially altering contract state in unintended ways. No special authentication beyond the ability to propose is required, as the bug is in the proposal creation logic itself.
Impact
If a proposal with mismatched array lengths succeeds, the corresponding extra actions execute with an empty calldata. This could allow a malicious proposer to slip in hidden, no-argument function calls that were not visible in the governance review process, leading to arbitrary state changes or fund mismanagement. The severity is moderate (CVSS 5.3), as exploitation requires a proposal to pass governance.
Mitigation
The vulnerability was patched in OpenZeppelin Contracts version 4.8.3 [4]. The fix adds a require statement ensuring signatures.length == calldatas.length and adjusts the iteration loop to use the calldatas length [3]. Users on earlier versions are advised to upgrade. As a workaround, any governance system using GovernorCompatibilityBravo should manually validate that proposal parameters have equal-length arrays before submission [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.3.0, < 4.8.3 | 4.8.3 |
@openzeppelin/contracts-upgradeablenpm | >= 4.3.0, < 4.8.3 | 4.8.3 |
Affected products
3- ghsa-coords2 versions
>= 4.3.0, < 4.8.3+ 1 more
- (no CPE)range: >= 4.3.0, < 4.8.3
- (no CPE)range: >= 4.3.0, < 4.8.3
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.3.0, < 4.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-93hq-5wgc-jc82ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30542ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/commit/8d633cb7d169f2f8595b273660b00b69e845c2feghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-93hq-5wgc-jc82ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.