PT-2022-23021 · Openzeppelin · Openzeppelin Contracts
Frangio
·
Published
2022-08-01
·
Updated
2023-07-21
·
CVE-2022-35915
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
OpenZeppelin Contracts versions prior to 4.7.2
Description
The target contract of an EIP-165
supportsInterface query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost.Recommendations
For versions prior to 4.7.2, upgrade to version 4.7.2 to resolve the issue. As a temporary workaround, consider restricting the amount of data returned by the target contract of an EIP-165
supportsInterface query to prevent unbounded gas consumption.Exploit
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openzeppelin Contracts