- Notifications
You must be signed in to change notification settings - Fork12.1k
Security: OpenZeppelin/openzeppelin-contracts
Security
SECURITY.md
Security vulnerabilities should be disclosed to the project maintainers throughImmunefi, or alternatively by email tosecurity@openzeppelin.com.
Responsible disclosure of security vulnerabilities is rewarded through a bug bounty program onImmunefi.
There is a bonus reward for issues introduced in release candidates that are reported before making it into a stable release. Learn more about release candidates atRELEASING.md.
Security vulnerabilities will be patched as soon as responsibly possible, and published as an advisory on this repository (seeadvisories) and on the affected npm packages.
Projects that build on OpenZeppelin Contracts are encouraged to clearly state, in their source code and websites, how to be contacted about security issues in the event that a direct notification is considered necessary. We recommend including it in the NatSpec for the contract as/// @custom:security-contact security@example.com.
Additionally, we recommend installing the library through npm and setting up vulnerability alerts such asDependabot.
Security patches will be released for the latest minor of a given major release. For example, if an issue is found in versions >=4.6.0 and the latest is 4.8.0, the patch will be released only in version 4.8.1.
Only critical severity bug fixes will be backported to past major releases.
| Version | Critical security fixes | Other security fixes |
|---|---|---|
| 5.x | ✅ | ✅ |
| 4.9 | ✅ | ❌ |
| 3.4 | ✅ | ❌ |
| 2.5 | ❌ | ❌ |
| < 2.0 | ❌ | ❌ |
Note as well that the Solidity language itself only guarantees security updates for the latest release.
Blockchain is a nascent technology and carries a high level of risk and uncertainty. OpenZeppelin makes certain software available under open source licenses, which disclaim all warranties in relation to the project and which limits the liability of OpenZeppelin. Subject to any particular licensing terms, your use of the project is governed by the terms found atwww.openzeppelin.com/tos (the "Terms"). As set out in the Terms, you are solely responsible for any use of the project and you assume all risks associated with any such use. This Security Policy in no way evidences or represents an ongoing duty by any contributor, including OpenZeppelin, to correct any issues or vulnerabilities or alert you to all or any of the risks of utilizing the project.
- Base64 encoding may read from potentially dirty memoryGHSA-9vx6-7xxf-x967 published
Feb 29, 2024 byernestognwLow - Duplicated execution of subcalls in v4.9.4GHSA-699g-q6qh-q4v8 published
Dec 8, 2023 byAmxxModerate - ERC2771Context with custom forwarder may lead to zero-valued _msgSenderGHSA-g4vp-m682-qqmp published
Aug 10, 2023 byfrangioLow - MerkleProof multiproofs may allow proving arbitrary leaves for specific treesGHSA-wprv-93r4-jj2p published
Jun 16, 2023 byfrangioModerate - Governor proposal creation may be blocked by frontrunningGHSA-5h3x-9wvq-w4m2 published
Jun 7, 2023 byfrangioModerate - TransparentUpgradeableProxy clashing selector calls may not be delegatedGHSA-mx2q-35m2-x2rh published
Apr 13, 2023 byfrangioLow - GovernorCompatibilityBravo may trim proposal calldataGHSA-93hq-5wgc-jc82 published
Apr 13, 2023 byfrangioModerate - ERC721Consecutive incorrect balance update with batch of 1GHSA-878m-3g6q-594q published
Mar 2, 2023 byfrangioModerate - ECDSA signature malleabilityGHSA-4h98-2769-gh6h published
Aug 10, 2022 byfrangioHigh - Cross chain utilities for Arbitrum L2 see EOA calls as cross chain callsGHSA-9j3m-g383-29qr published
Jul 28, 2022 byfrangioLow