Headline
GHSA-8mjr-jr5h-q2xr: Account cannot process transactions on Goerli
Impact
This vulnerability affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet, so only goerli deployments of v0.2.0 accounts are affected.
This faulty behavior is not observed in StarkNet’s testing framework, so don’t rely on it passing to detect this issue on custom accounts.
Patches
This bug has been patched in v0.2.1.
References
The issue is detailed in https://github.com/OpenZeppelin/cairo-contracts/issues/386.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Contracts for Cairo repo
- Email us at [email protected]
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-31153
Account cannot process transactions on Goerli
Critical severity GitHub Reviewed Published Jul 15, 2022 in OpenZeppelin/cairo-contracts • Updated Jul 15, 2022
Vulnerability details Dependabot alerts 0
Package
pip openzeppelin-cairo-contracts (pip)
Affected versions
< 0.2.1
Patched versions
0.2.1
Description
Impact
This vulnerability affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet, so only goerli deployments of v0.2.0 accounts are affected.
This faulty behavior is not observed in StarkNet’s testing framework, so don’t rely on it passing to detect this issue on custom accounts.
Patches
This bug has been patched in v0.2.1.
References
The issue is detailed in OpenZeppelin/cairo-contracts#386.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Contracts for Cairo repo
- Email us at [email protected]
References
- GHSA-8mjr-jr5h-q2xr
- https://nvd.nist.gov/vuln/detail/CVE-2022-31153
martriay published the maintainer security advisory
Jul 14, 2022
Severity
Critical
Weaknesses
No CWEs
CVE ID
CVE-2022-31153
GHSA ID
GHSA-8mjr-jr5h-q2xr
Source code
OpenZeppelin/cairo-contracts
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.