Skip to content

Inconsistent storage layout for ERC2771ContextUpgradeable

Low
frangio published GHSA-7j52-6fjp-58gr Mar 11, 2022

Package

npm @openzeppelin/contracts-upgradeable (npm)

Affected versions

>=4.0.0 <4.3.0

Patched versions

4.3.0

Description

Impact

The storage layout of the ERC2771ContextUpgradeable is not constant between versions.

  • versions 4.0.0, 4.1.0 and 4.2.0, the contract has a length of 51 slots.
  • since 4.3.0, the contract has a length of 50 slots
  • future versions will continue using 50 slots.

This difference in layout could result in breaking upgrades if someone upgrades from an affected version to a non-affected version. It is thus recommended to be extremely careful when upgrading from a contract that uses ERC2771ContextUpgradeable <4.3.0 to a newer version that uses >=4.3.0.

We've assessed the instances of this contract found on chain (with publicly verified source code) and notified the corresponding teams of the risk that an upgrade could cause.

Workarounds

Potentially breaking upgrades would be caught by the OpenZeppelin Upgrades Plugins for Hardhat and Truffle. It is recommended to use this tooling for all your upgrades.

If you need to upgrade to a newer version of the Upgradeable Contracts library, we recommend copying the previous implementation ERC2771ContextUpgradeable (available in the release-4.2 branch) and packaging it with your code.

Reference

OpenZeppelin/openzeppelin-transpiler#86

For more information

If you have any questions, comments, or need assistance regarding this advisory, email us at security@openzeppelin.com.

To submit security reports please use our bug bounty on Immunefi.

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs