Skip to main content

Always-Incorrect Control Flow Implementation

CVE-2023-49798

Severity High
Score 7.5/10

Summary

OpenZeppelin Contracts is a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication. In the version of "Multicall.sol" released in "@openzeppelin/[email protected]" and "@openzeppelin/[email protected]", all subcalls are executed twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. The duplicated delegatecall affects the version 4.9.4, was removed in version 4.9.5. The 4.9.4 version is marked as deprecated.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-670 - Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

References

Advisory Timeline

  • Published