Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, to later regain ownership by previously having proposed himself as a pending owner. This issue has been addressed in release version 0.16.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 19 Sep 2024 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Openzeppelin
Openzeppelin contracts
CPEs cpe:2.3:a:openzeppelin:contracts:*:*:*:*:*:cairo:*:*
Vendors & Products Openzeppelin
Openzeppelin contracts

Tue, 03 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 31 Aug 2024 00:00:00 +0000

Type Values Removed Values Added
Description Cairo-Contracts are OpenZeppelin Contracts written in Cairo for Starknet, a decentralized ZK Rollup. This vulnerability can lead to unauthorized ownership transfer, contrary to the original owner's intention of leaving the contract without an owner. It introduces a security risk where an unintended party (pending owner) can gain control of the contract after the original owner has renounced ownership. This could also be used by a malicious owner to simulate leaving a contract without an owner, to later regain ownership by previously having proposed himself as a pending owner. This issue has been addressed in release version 0.16.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Title OwnableTwoStep allows a pending owner to accept ownership after the original owner has renounced ownership in cairo-contracts
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-30T23:51:01.301Z

Updated: 2024-09-03T19:52:20.818Z

Reserved: 2024-08-26T18:25:35.443Z

Link: CVE-2024-45304

cve-icon Vulnrichment

Updated: 2024-09-03T19:52:16.709Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-31T00:15:05.493

Modified: 2024-09-19T17:26:37.030

Link: CVE-2024-45304

cve-icon Redhat

No data.