Ink! · Ink! · CVE-2023-34449
**Name of the Vulnerable Software and Affected Versions**
ink! versions 4.0.0 through 4.2.1
**Description**
The return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink env::invoke contract delegate`, is decoded incorrectly. This issue is related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. No previous versions are affected since this feature was only released in ink! 4.0.0. An analysis of on-chain deployments of ink! contracts on several chains found no contracts affected by the issue.
**Recommendations**
For ink! versions 4.0.0 through 4.2.1, upgrade to version 4.2.1 to receive a patch.