OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-02-03T19:43:11.178Z

Updated: 2024-08-02T10:49:07.630Z

Reserved: 2023-01-19T21:12:31.361Z

Link: CVE-2023-23940

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-02-03T20:15:11.037

Modified: 2024-11-21T07:47:08.737

Link: CVE-2023-23940

cve-icon Redhat

No data.