CVE-2023-34459
First published: Fri Jun 16 2023(Updated: )
OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves. A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree. A contract is not vulnerable if it uses single-leaf proving (`verify`, `verifyCalldata`, `processProof`, or `processProofCalldata`), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe. The problem has been patched in version 4.9.2. Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openzeppelin Contracts | >=4.7.0<4.9.2 | |
| Openzeppelin Contracts Upgradeable | >=4.7.0<4.9.2 | |
| npm/@openzeppelin/contracts-upgradeable | >=4.7.0<4.9.2 | 4.9.2 |
| npm/@openzeppelin/contracts | >=4.7.0<4.9.2 | 4.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/OpenZeppelin/openzeppelin-contracts/commit/4d2383e17186be3e8ccf5a442e9686ecc7de1c55
- https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.9.2
- https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-wprv-93r4-jj2p
- https://nvd.nist.gov/vuln/detail/CVE-2023-34459
- https://github.com/advisories/GHSA-wprv-93r4-jj2p (Advisory)
Frequently Asked Questions
What is the vulnerability associated with CVE-2023-34459?
The vulnerability associated with CVE-2023-34459 is related to OpenZeppelin Contracts version 4.7.0 to 4.9.2 and allows for the construction of malicious Merkle trees.
How does the vulnerability in OpenZeppelin Contracts manifest?
The vulnerability manifests when using the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions in OpenZeppelin Contracts versions 4.7.0 to 4.9.2.
What is the severity of the OpenZeppelin Contracts vulnerability (CVE-2023-34459)?
The severity of the OpenZeppelin Contracts vulnerability (CVE-2023-34459) is medium with a CVSS score of 5.9.
Which versions of OpenZeppelin Contracts are affected by the vulnerability?
OpenZeppelin Contracts versions 4.7.0 to 4.9.2 are affected by the vulnerability.
How can I fix the vulnerability in OpenZeppelin Contracts?
To fix the vulnerability in OpenZeppelin Contracts, you should update to version 4.9.2 or later.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-wprv-93r4-jj2p
- alias/CVE-2023-34459
- collector/nvd-cve
- collector/github-advisory
- vendor/openzeppelin
- canonical/openzeppelin contracts
- version/openzeppelin contracts/4.7.0
- canonical/openzeppelin contracts upgradeable
- version/openzeppelin contracts upgradeable/4.7.0
- package-manager/npm