First published: Fri Jul 15 2022(Updated: )
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet. Only goerli deployments of v0.2.0 accounts are affected. This faulty behavior is not observed in StarkNet's testing framework. This bug has been patched in v0.2.1.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Openzeppelin Contracts | =0.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-31153 is a vulnerability in OpenZeppelin Contracts for Cairo version 0.2.0 that renders account contracts unusable on live networks.
OpenZeppelin Contracts for Cairo version 0.2.0 is affected by CVE-2022-31153.
CVE-2022-31153 has a severity rating of 6.5 (medium).
Updating to a version of OpenZeppelin Contracts for Cairo that is not affected by CVE-2022-31153 is the recommended fix.
You can find more information about CVE-2022-31153 in the references provided: [link 1](https://github.com/OpenZeppelin/cairo-contracts/blob/release-0.2.0/src/openzeppelin/account/library.cairo#L203), [link 2](https://github.com/OpenZeppelin/cairo-contracts/commit/2cd60279c3332285d47edf9ee3888b71257acdc9), [link 3](https://github.com/OpenZeppelin/cairo-contracts/issues/386).