Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-31153: `ecdsa_ptr` points to reference in Account lib's `execute` · Issue #386 · OpenZeppelin/cairo-contracts

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet’s testing framework. This bug has been patched in v0.2.1.

CVE
Open in Source
🛑 The transaction was rejected but no contract address was identified in the error message.
Error message:
Error at pc=0:133:
Got an exception while executing a hint.
Cairo traceback (most recent call last):
Unknown location (pc=0:746)
Unknown location (pc=0:682)
Error message: Account: invalid signature
Unknown location (pc=0:347)
Unknown location (pc=0:321)

Traceback (most recent call last):
  File "<hint14>", line 1, in <module>
  File "/app/src/starkware/starknet/services/batcher/starknet_batcher_venv-site/starkware/cairo/lang/builtins/signature/signature_builtin_runner.py", line 94, in add_signature
    ), f"Signature hint must point to the signature builtin segment, not {addr}."
AssertionError: Signature hint must point to the signature builtin segment, not 14:0.

Neither the StarkNet test environment nor the devnet raise this error.

let (local ecdsa_ptr : SignatureBuiltin*) = alloc()

The Signature hint points to this reference (which the SignatureBuiltinRunner does not like). To resolve this, I suggest adding the ecdsa_ptr: SignatureBuiltin* as an implicit arg to execute, eth_execute, and _unsafe_execute in the Account library and EthAccount’s execute as well.

Another solution would be to isolate the functionality of both accounts (thus removing _unsafe_execute), so we don’t have to pass the implicit ecdsa_ptr in the EthAccount methods.

Related news

GHSA-8mjr-jr5h-q2xr: Account cannot process transactions on Goerli

### Impact This vulnerability affects all accounts (vanilla and ethereum flavors) in the [v0.2.0 release of OpenZeppelin Contracts for Cairo](https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.0), which are not whitelisted on StarkNet mainnet, so only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in [StarkNet's testing framework](https://github.com/starkware-libs/cairo-lang/blob/master/src/starkware/starknet/testing/starknet.py), so don't rely on it passing to detect this issue on custom accounts. ### Patches This bug has been patched in [v0.2.1](https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1). ### References The issue is detailed in https://github.com/OpenZeppelin/cairo-contracts/issues/386. ### For more information If you have any questions or comments about this advisory: * Open an issue in [the Contracts for Cairo repo](https://github.com/OpenZeppelin/cairo-contracts/issues/new/choose) * Email us at ...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE