CVE-2023-23940

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts for Cairo versions prior to 0.6.1

Description The issue is related to the is valid eth signature function missing a call to finalize keccak after calling verify eth signature. This allows a malicious sequencer to bypass signature validation and impersonate accounts using the EthAccount preset. The risk of exploitation is reduced since only StarkWare currently runs both a prover and a sequencer.

Recommendations For versions prior to 0.6.1, update to version 0.6.1 to resolve the issue. As a temporary workaround, consider restricting access to the is valid eth signature function until the update is applied. Additionally, be cautious of potential malicious sequencer activity and monitor for any unusual account impersonation attempts.