Login Sign Up

CVE-2021-39168

10.0 CRITICAL

📋 TL;DR

This vulnerability in OpenZeppelin's TimelockController smart contract allows actors with the executor role to escalate privileges and potentially gain unauthorized control over the contract. It affects all smart contracts using vulnerable versions of OpenZeppelin's TimelockController. Teams using OpenZeppelin for smart contract development are at risk.

💻 Affected Systems

Products:
  • OpenZeppelin Contracts
  • OpenZeppelin Contracts Upgradeable
Versions: Versions before 4.3.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any smart contract using TimelockController from vulnerable OpenZeppelin versions.

📦 What is this software?

Contracts by Openzeppelin

View all CVEs affecting Contracts →

Contracts by Openzeppelin

View all CVEs affecting Contracts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the smart contract, allowing unauthorized execution of any transaction, fund theft, or contract destruction.

🟠

Likely Case

Unauthorized privilege escalation leading to unauthorized contract modifications or fund transfers.

🟢

If Mitigated

Limited impact if proper role management is implemented and executors are restricted to trusted accounts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires executor role access. Full technical details are not yet publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.1

Vendor Advisory: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/security/advisories/GHSA-vrw4-w73r-6mm8

Restart Required: No

Instructions:

1. Update OpenZeppelin contracts to version 4.3.1 or later. 2. Recompile and redeploy affected smart contracts. 3. Verify the fix by checking contract version and functionality.

🔧 Temporary Workarounds

Revoke Untrusted Executor Roles

all

Remove executor role from accounts not strictly under team control, especially those that are not also proposers.

// Smart contract call to revoke executor role
// Example: timelockController.revokeRole(EXECUTOR_ROLE, untrustedAddress)

🧯 If You Can't Patch

  • Immediately revoke executor role from all untrusted accounts
  • Ensure at least one proposer and executor remain after role revocation

🔍 How to Verify

Check if Vulnerable:

Check if your smart contract uses OpenZeppelin TimelockController from versions before 4.3.1.

Check Version:

// Check package.json or equivalent for OpenZeppelin version
// Example: grep openzeppelin package.json

Verify Fix Applied:

Verify contract uses OpenZeppelin version 4.3.1 or later and test role-based access controls.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected role assignments in smart contract logs
  • Unauthorized transaction executions from executor accounts

Network Indicators:

  • Unusual transaction patterns from executor addresses
  • Unexpected contract state changes

SIEM Query:

Not applicable - this is a smart contract vulnerability requiring blockchain monitoring tools.

📊 Metadata

CVE ID: CVE-2021-39168
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-269
Published: August 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39168, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)