Vulnerabilities > CVE-2023-49798 - Always-Incorrect Control Flow Implementation vulnerability in Openzeppelin Contracts and Contracts Upgradeable

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

openzeppelin

CWE-670

NVD

Published: 2023-12-09

Updated: 2023-12-13

Summary

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of `Multicall.sol` released in `@openzeppelin/[email protected]` and `@openzeppelin/[email protected]`, all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall was removed in version 4.9.5. The 4.9.4 version is marked as deprecated. Users are advised to upgrade. There are no known workarounds for this issue.

Vulnerable Configurations

Part	Description	Count
Application	Openzeppelin Openzeppelin Contracts Upgradeable 4.9.4 Openzeppelin Contracts 4.9.4	2

Common Weakness Enumeration (CWE)

CWE-670 - Always-Incorrect Control Flow Implementation

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References