Moderate severityNVD Advisory· Published Feb 3, 2023· Updated Mar 10, 2025
OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass
CVE-2023-23940
Description
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openzeppelin-cairo-contractsPyPI | >= 0.2.0, < 0.6.1 | 0.6.1 |
Affected products
2- OpenZeppelin/cairo-contractsv5Range: >= 0.2.0, < 0.6.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-626q-v9j4-mcp4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23940ghsaADVISORY
- github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-626q-v9j4-mcp4ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/openzeppelin-cairo-contracts/PYSEC-2023-39.yamlghsaWEB
News mentions
0No linked articles in our index yet.