Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2023-30543
Summary
@web3-react is a framework for building Ethereum Apps . In affected versions, the `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by `useWeb3React()` may be incorrect. In an application, this means that any data derived from `chainId` could be incorrect. For example, if a swapping application derives a wrapped token contract address from the `chainId` and a user has changed chains as part of their connection flow the application could cause the user to send funds to the incorrect address when wrapping. This vulnerability affects @web3-react/coinbase-wallet versions 6.0.0 through 8.0.34-beta.0, @web3-react/eip1193 versions 6.0.0 through 8.0.26-beta.0, @web3-react/metamask in versions 6.0.0 through 8.0.29-beta.0, and @web3-react/walletconnect in versions 6.0.0 through 8.0.36-beta.0
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- LOW
- NONE
- NONE
CWE-362 - Race Condition
A race condition occurs in a shared memory program when two threads/processes access the same shared memory data, and at least one thread executes a write operation. This vulnerability manipulates the time to check vs. time to use (TOC/TOU) gap between the threads in the critical section to cause disorientation in the shared data. The impact can vary from compromising the confidentiality of the system to causing the system to crash or to execute arbitrary code.
References
Advisory Timeline
- Published
