CVE-2023-34449

Name of the Vulnerable Software and Affected Versions ink! versions 4.0.0 through 4.2.1

Description The return value when using delegate call mechanics, either through CallBuilder::delegate or ink env::invoke contract delegate, is decoded incorrectly. This issue is related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. No previous versions are affected since this feature was only released in ink! 4.0.0. An analysis of on-chain deployments of ink! contracts on several chains found no contracts affected by the issue.

Recommendations For ink! versions 4.0.0 through 4.2.1, upgrade to version 4.2.1 to receive a patch.