PT-2023-22770 · Npm · @Web3-React/Metamask+4
Andrewmohawk
·
Published
2023-04-17
·
Updated
2023-05-01
·
CVE-2023-30543
CVSS v3.1
5.2
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
@web3-react versions prior to the updated npm artifacts
Description
The
chainId may be outdated if the user changes chains as part of the connection flow, causing the value of chainId returned by useWeb3React() to be incorrect. This can lead to incorrect data derived from chainId, such as a wrapped token contract address in a swapping application, potentially causing users to send funds to the incorrect address.Recommendations
For @web3-react versions prior to the updated npm artifacts, upgrade to at least:
- @web3-react/coinbase-wallet@^8.0.35-beta.0
- @web3-react/eip1193@^8.0.27-beta.0
- @web3-react/metamask@^8.0.30-beta.0
- @web3-react/walletconnect@^8.0.37-beta.0
As a temporary workaround, consider verifying the
chainIdvalue before deriving any critical data from it.
Exploit
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Web3-React
@Web3-React/Coinbase-Wallet
@Web3-React/Eip1193
@Web3-React/Metamask
@Web3-React/Walletconnect