VYPR
Moderate severityNVD Advisory· Published Jun 7, 2023· Updated Feb 6, 2025

Governor proposal creation may be blocked by frontrunning in OpenZeppelin

CVE-2023-34234

Description

OpenZeppelin Contracts is a library for smart contract development. By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all. This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0. This problem has been patched in 4.9.1 by introducing opt-in frontrunning protection. Users are advised to upgrade. Users unable to upgrade may submit the proposal creation transaction to an endpoint with frontrunning protection as a workaround.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@openzeppelin/contractsnpm
>= 4.3.0, < 4.9.14.9.1
@openzeppelin/contracts-upgradeablenpm
>= 4.3.0, < 4.9.14.9.1

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.