Lucene search

K
cve[email protected]CVE-2023-34459
HistoryJun 16, 2023 - 11:15 p.m.

CVE-2023-34459

2023-06-1623:15:08
CWE-354
web.nvd.nist.gov
26
openzeppelin contracts
smart contract development
multiproof vulnerability
merkle tree
security patch

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

32.5%

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that allow forging a valid multiproof for an arbitrary set of leaves.

A contract may be vulnerable if it uses multiproofs for verification and the merkle tree that is processed includes a node with value 0 at depth 1 (just under the root). This could happen inadvertedly for balanced trees with 3 leaves or less, if the leaves are not hashed. This could happen deliberately if a malicious tree builder includes such a node in the tree.

A contract is not vulnerable if it uses single-leaf proving (verify, verifyCalldata, processProof, or processProofCalldata), or if it uses multiproofs with a known tree that has hashed leaves. Standard merkle trees produced or validated with the @openzeppelin/merkle-tree library are safe.

The problem has been patched in version 4.9.2.

Some workarounds are available. For those using multiproofs: When constructing merkle trees hash the leaves and do not insert empty nodes in your trees. Using the @openzeppelin/merkle-tree package eliminates this issue. Do not accept user-provided merkle roots without reconstructing at least the first level of the tree. Verify the merkle tree structure by reconstructing it from the leaves.

Affected configurations

Vulners
NVD
Node
openzeppelinopenzeppelin_contractsRange4.7.04.9.2
VendorProductVersionCPE
openzeppelinopenzeppelin_contracts*cpe:2.3:a:openzeppelin:openzeppelin_contracts:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "OpenZeppelin",
    "product": "openzeppelin-contracts",
    "versions": [
      {
        "version": ">= 4.7.0, < 4.9.2",
        "status": "affected"
      }
    ]
  }
]

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

32.5%

Related for CVE-2023-34459