CVE-2023-49798 in openzeppelin-contractsinfo

Summary

by MITRE • 12/09/2023

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/01/2024

The vulnerability identified as CVE-2023-49798 affects OpenZeppelin Contracts version 4.9.4, specifically within the Multicall.sol implementation where a critical merge issue resulted in line duplication during the porting of a 5.0.1 patch to the 4.9 branch. This technical flaw manifests as duplicate execution of all subcalls within the multicall functionality, creating a fundamental operational defect that impacts the integrity and expected behavior of smart contracts utilizing this library. The issue stems from a merge conflict resolution error that introduced redundant delegatecall operations, fundamentally altering the contract's execution flow.

The technical implementation flaw represents a direct violation of the principle of single execution in smart contract design, where each operation should occur exactly once as intended by the developer. This duplication vulnerability specifically affects the delegatecall mechanism within the multicall functionality, causing all subsequent operations to execute twice, which can lead to severe financial and operational consequences. The vulnerability is classified under CWE-1287, which addresses issues related to incorrect handling of duplicate operations in software systems, and aligns with ATT&CK technique T1499.004 related to network denial of service through resource exhaustion.

The operational impact of this vulnerability extends beyond simple redundancy, as it exposes users to unintentionally duplicated asset transfers and other financial operations that could result in significant monetary losses. When contracts execute delegatecalls twice, any state modifications, asset movements, or computational operations within those calls are duplicated, potentially leading to double-spending scenarios or unintended financial transfers. The severity of this issue is amplified because it affects the core functionality of the multicall pattern, which is widely used for batching multiple operations within a single transaction, making it a critical security concern for any contract relying on this functionality.

The remediation process required for this vulnerability involves immediate upgrading from the affected version 4.9.4 to version 4.9.5, which properly removes the duplicate delegatecall operation. The deprecated version 4.9.4 has been marked as insecure and users must migrate to the patched version to prevent exploitation. This vulnerability demonstrates the critical importance of thorough testing during patch management and merge operations, particularly when maintaining multiple code branches. Organizations utilizing OpenZeppelin Contracts should implement comprehensive audit procedures to verify that their deployed contracts are not using the vulnerable version, as there are no known workarounds that can safely mitigate this issue without upgrading the underlying library implementation. The incident underscores the necessity of proper version control practices and the potential for seemingly minor merge conflicts to create significant security vulnerabilities in smart contract systems.

Responsible

GitHub, Inc.

Reservation

11/30/2023

Disclosure

12/09/2023

Moderation

accepted

CPE

ready

EPSS

0.00543

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!