logo

Database

Insecure service configuration In @openzeppelin/contracts

Description

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/[email protected] and @openzeppelin/[email protected] will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-497982. NVD-2023-497983. OSV-2023-497984. GHSA-699g-q6qh-q4v85. GCVE-2023-49798

References

1. https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v82. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/31f9fb9d171f60b2271b2b9c6f62d43302bf94893. https://github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.