5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34234

CVE-2023-34234: OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning

Impact

By frontrunning the creation of a proposal, an attacker can become the proposer and gain the ability to cancel it. The attacker can do this repeatedly to try to prevent a proposal from being proposed at all.

This impacts the Governor contract in v4.9.0 only, and the GovernorCompatibilityBravo contract since v4.3.0.

Patches

The problem has been patched in 4.9.1 by introducing opt-in frontrunning protection.

Workarounds

Submit the proposal creation transaction to an endpoint with frontrunning protection.

Credit

Reported by Lior Abadi and Joaquin Pereyra from Coinspect.

References

https://www.coinspect.com/openzeppelin-governor-dos/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-34234

CVE-2023-34234:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@openzeppelin/contracts	npm	>= 4.3.0, < 4.9.1	4.9.1
@openzeppelin/contracts-upgradeable	npm	>= 4.3.0, < 4.9.1	4.9.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability exists in the proposal creation flow where authorization checks were insufficient. The patch added _isValidDescriptionForProposer to enforce proposer authorization via a description suffix. The vulnerable versions' propose functions (in both Governor and GovernorCompatibilityBravo) lacked this critical check, enabling frontrunning attacks. The CWE-862 (Missing Authorization) confirmation and commit diff showing the security check addition to propose() further validate this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34234: OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning

Impact

Patches

Workarounds

Credit

References

CVE-2023-34234:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2023-34234: OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning

Impact

Patches

Workarounds

Credit

References

5.3

5.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI