Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls
Description
OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, CrossChainEnabledArbitrumL2 or LibArbitrumL2, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts Arbitrum L2 utilities misclassify EOA calls as cross-chain calls, allowing potential bypass of cross-chain checks; patched in v4.7.2.
Vulnerability
Overview
OpenZeppelin Contracts for Solidity includes cross-chain utilities for Arbitrum L2, specifically CrossChainEnabledArbitrumL2 and LibArbitrumL2. These utilities contain a flaw where direct interactions from externally owned accounts (EOAs) are incorrectly identified as cross-chain calls originating from L1, even though they are not. This incorrect classification can lead to unintended behavior in contracts that rely on these utilities to distinguish between L1-initiated and direct L2 interactions [1][4].
Exploitation
Scenario
The vulnerability can be exploited by any EOA that directly interacts with a contract using the affected utilities. The contract will treat the EOA's call as if it came through the Arbitrum bridge from L1, potentially granting the EOA privileges or access that should only be available to L1-originated calls. However, the advisory notes that any action an EOA can take by exploiting this issue could also be performed through the legitimate bridge, reducing the practical risk [4].
Impact
Assessment
If exploited, an attacker could bypass cross-chain authentication mechanisms, potentially leading to unauthorized state changes. The severity is assessed as low because the same actions could be performed through the intended bridge mechanism without the bug. Nevertheless, contracts that rely on strict separation between L1 and L2 callers may be vulnerable to logic errors [1][4].
Mitigation
The issue is fixed in OpenZeppelin Contracts version 4.7.2. Users are advised to upgrade to this version or later. No workarounds are available [1][4]. The fix was implemented in pull request #3578, which modifies the cross-chain detection logic to correctly identify EOA calls [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.6.0, < 4.7.2 | 4.7.2 |
@openzeppelin/contracts-upgradeablenpm | >= 4.6.0, < 4.7.2 | 4.7.2 |
Affected products
3- ghsa-coords2 versions
>= 4.6.0, < 4.7.2+ 1 more
- (no CPE)range: >= 4.6.0, < 4.7.2
- (no CPE)range: >= 4.6.0, < 4.7.2
- OpenZeppelin/openzeppelin-contractsv5Range: >= 4.6.0, < 4.7.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-9j3m-g383-29qrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35916ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts/pull/3578ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.7.2ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9j3m-g383-29qrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.