openzeppelin-cairo-contracts@0.3.0 vulnerabilities

Library for secure smart contract development written in Cairo

latest version

0.6.1
latest non vulnerable version

0.6.1
first published

2 years ago
latest version published

a year ago
licenses detected
- MIT
  [0,)
View openzeppelin-cairo-contracts package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the openzeppelin-cairo-contracts package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cryptographic Issues openzeppelin-cairo-contracts is an A library for secure smart contract development written in Cairo for StarkNet Affected versions of this package are vulnerable to Cryptographic Issues due to the `is_valid_eth_signature` function which is missing a call to `finalize_keccak` function after calling the `verify_eth_signature` function. Impact As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. How to fix Cryptographic Issues? Upgrade `openzeppelin-cairo-contracts` to version 0.6.1 or higher.	[0.2.0,0.6.1)

Cryptographic Issues

openzeppelin-cairo-contracts is an A library for secure smart contract development written in Cairo for StarkNet

Affected versions of this package are vulnerable to Cryptographic Issues due to the is_valid_eth_signature function which is missing a call to finalize_keccak function after calling the verify_eth_signature function.

Impact

As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.

How to fix Cryptographic Issues?

Upgrade openzeppelin-cairo-contracts to version 0.6.1 or higher.

[0.2.0,0.6.1)

Go back to all versions of this package

openzeppelin-cairo-contracts@0.3.0 vulnerabilities

Library for secure smart contract development written in Cairo

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Impact