Vulnerability Description
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openzeppelin | Contracts | 0.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppeExploitThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9eePatchThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/issues/386ExploitIssue TrackingThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/pull/387PatchThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1Release NotesThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jrThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppeExploitThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9eePatchThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/issues/386ExploitIssue TrackingThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/pull/387PatchThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1Release NotesThird Party Advisory
- https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jrThird Party Advisory
FAQ
What is CVE-2022-31153?
CVE-2022-31153 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts ...
How severe is CVE-2022-31153?
CVE-2022-31153 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31153?
Check the references section above for vendor advisories and patch information. Affected products include: Openzeppelin Contracts.