GovernorCompatibilityBravo may trim proposal calldata

CVE-2023-30542

What is CVE-2023-30542?

A logic flaw in OpenZeppelin Contracts affects the proposal creation entrypoint ('propose') in the 'GovernorCompatibilityBravo'. This vulnerability allows the creation of proposals with a 'signatures' array shorter than the corresponding 'calldatas' array. As a result, the extra elements in 'calldatas' get overlooked, potentially leading to the execution of actions without the expected calldata if the proposal passes. While the 'ProposalCreated' event accurately reflects the intended execution, querying through 'getActions' can misrepresent the proposal parameters. OpenZeppelin has released a patch in version 4.8.3 to address this issue. As a preventive measure, users are advised to ensure that the lengths of the 'signatures' and 'calldatas' parameters match for all governance proposals.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References