Impact
Upgradeable contracts using UUPSUpgradeable
may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
Patches
A fix is included in version 4.3.2 of @openzeppelin/contracts
and @openzeppelin/contracts-upgradeable
.
Workarounds
Initialize implementation contracts using UUPSUpgradeable
by invoking the initializer function (usually called initialize
). An example is provided in the forum.
References
A post-mortem will be published in a few days in the OpenZeppelin Forum.
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.
Impact
Upgradeable contracts using
UUPSUpgradeable
may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.Patches
A fix is included in version 4.3.2 of
@openzeppelin/contracts
and@openzeppelin/contracts-upgradeable
.Workarounds
Initialize implementation contracts using
UUPSUpgradeable
by invoking the initializer function (usually calledinitialize
). An example is provided in the forum.References
A post-mortem will be published in a few days in the OpenZeppelin Forum.
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.