CVE-2023-23940 MEDIUM

CVE-2023-23940: OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass

Vendor Openzeppelin
Product cairo-contracts
Weakness CWE-347
Published February 3, 2023
Last update March 10, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

Key dates

02Disclosure timeline

February 3, 2023 CVE published
March 10, 2025 Record updated