OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature
Cause is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. Impact As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. Risk In order to exploit this vulnerability, it is required to control a sequencer or prover since they're …