Duplicated execution of subcalls in OpenZeppelin Contracts
Description
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of Multicall.sol released in @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenZeppelin Contracts 4.9.4 Multicall.sol bug causes each subcall to execute twice, risking duplicate asset transfers.
Description
A merge conflict resolution error when porting a fix from version 5.0.1 to the 4.9 branch introduced a duplicate line in Multicall.sol. This resulted in functionDelegateCall being called twice for each subcall in versions 4.9.4 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable [1][3].
Exploitation
Any user or contract invoking the multicall function will inadvertently execute each provided calldata twice. No special privileges or external conditions are required; the bug is triggered by normal usage of the Multicall utility [1][4].
Impact
Attackers do not actively exploit this vulnerability, but legitimate users may unintentionally duplicate sensitive operations such as asset transfers, token approvals, or other state-changing calls. This can lead to financial losses or unintended contract states [1][3].
Mitigation
The duplicate functionDelegateCall line was removed in version 4.9.5. Version 4.9.4 is deprecated, and users are strongly advised to upgrade. No known workarounds exist [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@openzeppelin/contractsnpm | >= 4.9.4, < 4.9.5 | 4.9.5 |
@openzeppelin/contracts-upgradeablenpm | >= 4.9.4, < 4.9.5 | 4.9.5 |
Affected products
3- ghsa-coords2 versions
>= 4.9.4, < 4.9.5+ 1 more
- (no CPE)range: >= 4.9.4, < 4.9.5
- (no CPE)range: >= 4.9.4, < 4.9.5
- OpenZeppelin/openzeppelin-contractsv5Range: = 4.9.4
Patches
131f9fb9d171fTranspile 88ac712e
1 file changed · +0 −1
contracts/utils/MulticallUpgradeable.sol+0 −1 modified@@ -38,7 +38,6 @@ abstract contract MulticallUpgradeable is Initializable, ContextUpgradeable { results = new bytes[](data.length); for (uint256 i = 0; i < data.length; i++) { - results[i] = AddressUpgradeable.functionDelegateCall(address(this), data[i]); results[i] = AddressUpgradeable.functionDelegateCall(address(this), bytes.concat(data[i], context)); } return results;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-699g-q6qh-q4v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49798ghsaADVISORY
- github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/31f9fb9d171f60b2271b2b9c6f62d43302bf9489ghsaWEB
- github.com/OpenZeppelin/openzeppelin-contracts/commit/88ac712e06832bce73b41e8166cded2729e25205ghsax_refsource_MISCWEB
- github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-699g-q6qh-q4v8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.