CVE-2022-31172

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts versions 4.1.0 through 4.7.1

Description The issue concerns the SignatureChecker reverting in certain cases, which is not expected. This occurs due to an incorrect assumption about Solidity 0.8's abi.decode, specifically when a target contract does not implement EIP-1271 as expected. The contracts that may be affected are those using SignatureChecker to check signature validity and handle invalid signatures in a way other than reverting.

Recommendations For versions 4.1.0 through 4.7.1, update to version 4.7.1 to resolve the issue. As a temporary workaround, consider modifying the handling of invalid signatures in contracts that use SignatureChecker to prevent reverting. Restrict the use of SignatureChecker.isValidSignatureNow until the update is applied.