CVE-2022-31198 — Incorrect Calculation in Contracts

CWE-682 — Incorrect Calculation3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedAug 1

Latest updateAug 18

Description

OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirements, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum r…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDopenzeppelin/contracts_upgradeable4.3.0 — 4.7.2

▶npmopenzeppelin/contracts-upgradeable4.3.0 — 4.7.2

▶NVDopenzeppelin/contracts4.3.0 — 4.7.2

▶npmopenzeppelin/contracts4.3.0 — 4.7.2

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.3.0, < 4.7.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals↗2022-08-18

▶

OSV

OpenZeppelin Contracts's GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals↗2022-08-18

▶