Homepage
About Snyk

Cryptographic Issues Affecting openzeppelin-cairo-contracts package, versions [0.2.0,0.6.1)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-OPENZEPPELINCAIROCONTRACTS-3310430
  • published 3 Feb 2023
  • disclosed 2 Feb 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 2 Feb 2023

CVE-2023-23940 Open this link in a new tab
CWE-310 Open this link in a new tab

How to fix?

Upgrade openzeppelin-cairo-contracts to version 0.6.1 or higher.

Overview

openzeppelin-cairo-contracts is an A library for secure smart contract development written in Cairo for StarkNet

Affected versions of this package are vulnerable to Cryptographic Issues due to the is_valid_eth_signature function which is missing a call to finalize_keccak function after calling the verify_eth_signature function.

Impact

As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.

Risk

In order to exploit this vulnerability, it is required to control a sequencer or prover since they're the ones executing the hints, being able to inject incorrect keccak results.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.6 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

5.3 medium