CVE-2023-23940

Advisory

### Cause
`is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`.

### Impact
As a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.

### Risk
In order to exploit this vulnerability, it is required to control a sequencer or prover since they're the ones executing the hints, being able to inject incorrect keccak results.

Today StarkWare is the only party running both a prover or a sequencer, greatly reducing the risk of exploit.

### Patches
The issue has been patched in 0.6.1.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Contracts for Cairo repository](https://github.com/OpenZeppelin/cairo-contracts/issues/new/choose)
* Email us at [[email protected]](mailto:[email protected])

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-626q-v9j4-mcp4
• https://nvd.nist.gov/vuln/detail/CVE-2023-23940
• https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-626q-v9j4-mcp4
• https://github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899ac
• https://github.com/OpenZeppelin/cairo-contracts
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23940
• https://github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299