cvedb.io
CVE-2023-23940
MEDIUM · CVSS 6.4
EPSS exploitation probability: 0%
Published 2023-02-03T20:15:11.037 · Last modified 2026-06-17T05:38:20.130

Summary

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

Affected products

openzeppelin — contracts

Does this affect you?

Add your gear to cvedb and we'll alert you only when openzeppelin ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.