Skip to content

Duplicated execution of subcalls in v4.9.4

Moderate
Amxx published GHSA-699g-q6qh-q4v8 Dec 8, 2023

Package

npm @openzeppelin/contracts (npm)

Affected versions

4.9.4

Patched versions

4.9.5
npm @openzeppelin/contracts-upgradeable (npm)
4.9.4
4.9.5

Description

Context

Merge conflict resolution issue when porting the v5.0.1 Multicall update to the v4.9 branch caused a duplicated line.

Impact

Versions using Multicall from @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4 will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.

Patches

The duplicated delegatecall was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

Severity

Moderate

CVE ID

CVE-2023-49798

Weaknesses

No CWEs