CVE-2023-49798: 
JavaScript vulnerability analysis and mitigation

CVE-2023-49798 affects OpenZeppelin Contracts, a library for smart contract development. A merge issue when porting the 5.0.1 patch to the 4.9 branch caused a line duplication in the version of Multicall.sol released in @openzeppelin/contracts@4.9.4 and @openzeppelin/contracts-upgradeable@4.9.4. The vulnerability was discovered and disclosed on December 8, 2023 (Vendor Advisory).

The vulnerability stems from a duplicated functionDelegateCall line in the Multicall.sol contract, causing all subcalls to be executed twice. The issue has a CVSS v3.1 base score of 7.5 HIGH (NIST: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is classified under CWE-670 (Always-Incorrect Control Flow Implementation) (NVD).

The vulnerability exposes users to unintentionally duplicate operations, particularly concerning asset transfers. When using the affected versions, each subcall in the Multicall contract is executed twice, which could lead to double-spending or other unintended duplicate operations (Vendor Advisory).

The vulnerability has been patched in version 4.9.5, where the duplicated delegatecall was removed. Version 4.9.4 has been marked as deprecated, and users are strongly advised to upgrade to the patched version. There are no known workarounds for this issue other than upgrading (Vendor Advisory).