OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
High severity
GitHub Reviewed
Published
Jul 20, 2022
in
OpenZeppelin/openzeppelin-contracts
•
Updated Jan 27, 2023
Description
Published to the GitHub Advisory Database
Jul 21, 2022
Reviewed
Jul 21, 2022
Published by the National Vulnerability Database
Jul 22, 2022
Last updated
Jan 27, 2023
Impact
SignatureChecker.isValidSignatureNow
is not expected to revert. However, an incorrect assumption about Solidity 0.8'sabi.decode
allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected.The contracts that may be affected are those that use
SignatureChecker
to check the validity of a signature and handle invalid signatures in a way other than reverting. We believe this to be unlikely.Patches
The issue was patched in 4.7.1.
References
OpenZeppelin/openzeppelin-contracts#3552
For more information
If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at security@openzeppelin.com.
References