CVE-2022-31172 Information

Description

OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However an incorrect assumption about Solidity 0.8’s abi.decode allows some cases to revert given a target contract that doesn’t implement EIP-1271 as expected. The contracts that may be affected are those that use SignatureChecker to check the validity of a signature and handle invalid signatures in a way other than reverting. The issue was patched in version 4.7.1.

Reference

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-4g63-c64m-25w9 https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3552