Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
OpenZeppelin released a bug fix analysis. Whitehat Zb3 submitted a serious reentrant vulnerability in OpenZeppelin's TimelockController contract on August 21, 2021, which affected a project hosted on the Immunefi vulnerability bounty platform. The project chose to remain anonymous and has paid an undisclosed amount (including an anonymous bonus) to White Hat. OpenZeppelin paid White Hat a bonus of $25,000 to recognize their contribution to community security and released a patch. As far as it knows, this is the only serious vulnerability that OpenZeppelin has in its open source smart contract library. The vulnerability has been patched in the affected projects, and OpenZeppelin has released an updated contract version to fix the vulnerability. All projects that use TimelockController should be migrated. Attack method (per SlowMist): Contract Vulnerability. Reported loss: -.
- chain
- —
- protocol
- OpenZeppelin
- bug_class
- reentrancy
- date_occurred
- 2021-09-03
- loss_usd
- —
- source_id
- sm:openzeppelin::2021-09-03