OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4
Moderate severity
GitHub Reviewed
Published
Dec 8, 2023
in
OpenZeppelin/openzeppelin-contracts
•
Updated Dec 12, 2023
Description
Published by the National Vulnerability Database
Dec 9, 2023
Published to the GitHub Advisory Database
Dec 12, 2023
Reviewed
Dec 12, 2023
Last updated
Dec 12, 2023
Context
Merge conflict resolution issue when porting the v5.0.1
Multicall
update to the v4.9 branch caused a duplicated line.Impact
Versions using
Multicall
from@openzeppelin/contracts@4.9.4
and@openzeppelin/contracts-upgradeable@4.9.4
will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers.Patches
The duplicated
delegatecall
was removed in 4.9.5. The 4.9.4 version is marked as deprecated.References