Always-Incorrect Control Flow Implementation
CVE-2023-49798
Summary
OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of "Multicall.sol" released in "@openzeppelin/[email protected]" and "@openzeppelin/[email protected]", all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall affects the version 4.9.4, was removed in version 4.9.5. The 4.9.4 version is marked as deprecated.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-670 - Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
References
Advisory Timeline
- Published