OpenZeppelin is a building block for many smart contracts on Ethereum-compatible blockchains. It provides modular and reusable libraries for various Ethereum standards (e.g., ERC20 and ERC721) and common functionalities such as upgradeable contracts. Little research has been done on OpenZeppelin security except for a recent study, which focused only on the \textit{misuse} of OpenZeppelin code, assuming OpenZeppelin itself is secure but contract developers may not follow OpenZeppelin ’s function checks appropriately. We argue that, despite appearing robust, OpenZeppelin itself could have many Vulnerabilities, and these library-level vulnerabilities could inadvertently affect third-party smart contracts, even without misuse from developers.

We present ZEPCOMPARE, the first end-to-end system for demystifying OpenZeppelin’s own vulnerabilities and analyzing their propagation in third-party smart contracts. ZEPCOMPARE incorporates a manual analysis stage where we review OpenZeppelin’s 64 historical releases, identifying 109 vulnerable-fixed code pairs, exposing flaws in cryptographic utilities, access control, etc. Leveraging these pairs, ZEPCOMPARE introduces \textit{facts of changes}, a novel structure capturing vulnerable and fixed code contexts for flexible matching. Evaluated across 88,605 contracts from three Ethereum-compatible chains, ZEPCOMPARE detects 4,708 instances of OpenZeppelin-derived vulnerabilities. Manual sampling and a ground-truth experiment confirm that ZEPCOMPARE achieves 86.7% precision and 77.1% recall. Our findings reveal significant security risks in both historical and the latest versions of OpenZeppelin libraries, underscoring the urgent need for systematic auditing of foundational contracts components.