PYSEC-2023-39

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/openzeppelin-cairo-contracts/PYSEC-2023-39.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-39

Aliases

Published

2023-02-03T20:15:00Z

Modified

2026-02-22T22:49:15.001963Z

Summary

[none]

Details

OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature. As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.

References

Affected packages

PyPI / openzeppelin-cairo-contracts

Package

Name: openzeppelin-cairo-contracts; View open source insights on deps.dev
Purl: pkg:pypi/openzeppelin-cairo-contracts

Affected ranges

Type: GIT
Repo: https://github.com/OpenZeppelin/cairo-contracts
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6d4cb750478fca2fd916f73297632f899aca9299

Type: ECOSYSTEM
Events: Introduced

0.2.0

Fixed

0.6.1

Affected versions

0.*

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.4.0b0

0.4.0

0.5.0

0.5.1

0.6.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/openzeppelin-cairo-contracts/PYSEC-2023-39.yaml"