{"id":"PYSEC-2023-39","details":"OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts. The issue has been patched in 0.6.1.","aliases":["CVE-2023-23940","GHSA-626q-v9j4-mcp4"],"modified":"2026-02-22T22:49:15.001963Z","published":"2023-02-03T20:15:00Z","references":[{"type":"FIX","url":"https://github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299"},{"type":"WEB","url":"https://github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299"},{"type":"ADVISORY","url":"https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-626q-v9j4-mcp4"}],"affected":[{"package":{"name":"openzeppelin-cairo-contracts","ecosystem":"PyPI","purl":"pkg:pypi/openzeppelin-cairo-contracts"},"ranges":[{"type":"GIT","repo":"https://github.com/OpenZeppelin/cairo-contracts","events":[{"introduced":"0"},{"fixed":"6d4cb750478fca2fd916f73297632f899aca9299"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0.2.0"},{"fixed":"0.6.1"}]}],"versions":["0.2.0","0.2.1","0.3.0","0.3.1","0.3.2","0.4.0","0.4.0b0","0.5.0","0.5.1","0.6.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/openzeppelin-cairo-contracts/PYSEC-2023-39.yaml"}}],"schema_version":"1.7.3"}