CVE-2022-35916

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts versions prior to 4.7.2

Description The issue affects contracts using the cross chain utilities for Arbitrum L2, specifically CrossChainEnabledArbitrumL2 or LibArbitrumL2. These contracts classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. The severity of this issue is assessed as low because any action taken by an EOA on the contract could also be taken by the EOA through the bridge if the issue was not present.

Recommendations For versions prior to 4.7.2, upgrade to version 4.7.2 to resolve the issue. As a temporary workaround, consider restricting the use of CrossChainEnabledArbitrumL2 and LibArbitrumL2 until the upgrade is applied.