GHSA-HQF9-8XV5-X8XW
Vulnerability from github – Published: 2026-01-05 19:57 – Updated: 2026-01-05 19:57Impact
The ERC7984 contract tracks total supply using a confidential euint64 value. If a call to the internal _mint function would result in the total supply overflowing, the call fails silently. The wrap and onTransferReceived functions in ERC7984ERC20Wrapper assume that _mint won't fail silently and do not check the return value. If the mint function fails silently, users do not receive the confidential wrapped token but still send the underlying token, resulting in a loss of funds.
By default (without overriding rate(), the wrapper fills up after wrapping ~18.4 trillion tokens. There are very few tokens of value with sufficient total supply to result in the filling of the wrapper. That said, we recommend upgrading to 0.3.1 to remove this issue.
Patches
This issue has been patched in the 0.3.1 release.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0"
},
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/confidential-contracts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T19:57:46Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe `ERC7984` contract tracks total supply using a confidential `euint64` value. If a call to the internal `_mint` function would result in the total supply overflowing, the call fails silently. The `wrap` and `onTransferReceived` functions in `ERC7984ERC20Wrapper` assume that `_mint` won\u0027t fail silently and do not check the return value. If the mint function fails silently, users do not receive the confidential wrapped token but still send the underlying token, resulting in a loss of funds.\n\nBy default (without overriding `rate()`, the wrapper fills up after wrapping ~18.4 trillion tokens. There are very few tokens of value with sufficient total supply to result in the filling of the wrapper. That said, we recommend upgrading to `0.3.1` to remove this issue. \n\n### Patches\nThis issue has been patched in the `0.3.1` release.",
"id": "GHSA-hqf9-8xv5-x8xw",
"modified": "2026-01-05T19:57:46Z",
"published": "2026-01-05T19:57:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts/security/advisories/GHSA-hqf9-8xv5-x8xw"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenZeppelin/openzeppelin-confidential-contracts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds."
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.