CVE-2023-23940: Improper Verification of Cryptographic Signature
(updated )
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature
is missing a call to finalize_keccak
after calling verify_eth_signature
. As a result, any contract using is_valid_eth_signature
from the account library (such as the EthAccount
preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.
References
Detect and mitigate CVE-2023-23940 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →