CVE-2022-31153

OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.

OpenZeppelin Contracts for Cairo es una biblioteca para el desarrollo de contratos escrita en Cairo para StarkNet, un ZK Rollup descentralizado. La versión 0.2.0 es vulnerable a un error que hace que los contratos de cuentas sean inusables en las redes vivas. Este problema afecta a todas las cuentas (sabores vanilla y ethereum) en la versión v0.2.0 de OpenZeppelin Contracts for Cairo, que no están en la lista blanca de la red principal de StarkNet. Sólo están afectadas las implementaciones goerli de las cuentas de la versión v0.2.0. Este comportamiento fallido no es observado en el marco de pruebas de StarkNet. Este bug ha sido parcheado en versión v0.2.1

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-07-15 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-664: Improper Control of a Resource Through its Lifetime
CWE-863: Incorrect Authorization

CAPEC

References (6)

URL	Tag	Source
https://github.com/OpenZeppelin/cairo-contracts/releases/tag/v0.2.1	Release Notes
https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-8mjr-jr5h-q2xr	Third Party Advisory

URL	Date	SRC
https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203	2024-08-03
https://github.com/OpenZeppelin/cairo-contracts/issues/386	2024-08-03

URL	Date	SRC
https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9	2022-07-22
https://github.com/OpenZeppelin/cairo-contracts/pull/387	2022-07-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openzeppelin Search vendor "Openzeppelin"		Contracts Search vendor "Openzeppelin" for product "Contracts"				0.2.0 Search vendor "Openzeppelin" for product "Contracts" and version "0.2.0"		cairo		Affected