-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from how Arbitrum's L1->L2 message passing uses address aliasing. The patched PR #3578 shows the fix involved using ArbSys(address(100)).wasMyCallersAddressAliased() to distinguish true cross-chain calls (from L1 aliases) from native L2 EOA calls. The vulnerable versions lacked this check in LibArbitrumL2's core functions, causing EOAs to be misclassified. Both isCrossChain and crossChainSender were directly modified in the fix, confirming their role in the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @openzeppelin/contracts | npm | >= 4.6.0, < 4.7.2 | 4.7.2 |
| @openzeppelin/contracts-upgradeable | npm | >= 4.6.0, < 4.7.2 | 4.7.2 |