6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31153

GHSA ID

GHSA-8mjr-jr5h-q2xr

EPSS Score

0.30337%

CWE

CWE-664

Published

7/15/2022

Updated

11/22/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31153

CVE-2022-31153: OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli

Impact

This vulnerability affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet, so only goerli deployments of v0.2.0 accounts are affected.

This faulty behavior is not observed in StarkNet's testing framework, so don't rely on it passing to detect this issue on custom accounts.

Patches

This bug has been patched in v0.2.1.

References

The issue is detailed in https://github.com/OpenZeppelin/cairo-contracts/issues/386.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Contracts for Cairo repo
Email us at security@openzeppelin.com

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31153

GHSA ID

GHSA-8mjr-jr5h-q2xr

EPSS Score

0.30337%

CWE

CWE-664

Published

7/15/2022

Updated

11/22/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openzeppelin-cairo-contracts	pip	< 0.2.1	0.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incorrect handling of the ecdsa_ptr signature builtin reference. The pre-patch code in library.cairo's execute function created a local ecdsa_ptr via alloc() (line 203 in v0.2.0), which StarkNet's runtime rejected as it expects signature validation to use the system-provided ecdsa_ptr. The patch in 2cd6027 added ecdsa_ptr as an implicit parameter to execute and _unsafe_execute, resolving the validation failure. The vulnerable functions directly handled signature validation with improper pointer management, making them root causes of the transaction processing failure on Goerli.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *****ts *ll ***ounts (v*nill* *n* *t**r*um *l*vors) in t** [v*.*.* r*l**s* o* Op*nZ*pp*lin *ontr**ts *or **iro](*ttps://*it*u*.*om/Op*nZ*pp*lin/**iro-*ontr**ts/r*l**s*s/t**/v*.*.*), w*i** *r* not w*it*list** on St*rkN*t

Reasoning

T** vuln*r**ility st*mm** *rom in*orr**t **n*lin* o* t** ***s*_ptr si*n*tur* *uiltin r***r*n**. T** pr*-p*t** *o** in li*r*ry.**iro's *x**ut* *un*tion *r**t** * lo**l ***s*_ptr vi* *llo*() (lin* *** in v*.*.*), w*i** St*rkN*t's runtim* r*j**t** *s it

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-31153: OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli

Impact

Patches

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI