CVE-2022-31153 is a medium-severity vulnerability identified in version 0.2.0 of OpenZeppelin's cairo-contracts library, which is used for developing smart contracts in Cairo language on the StarkNet platform, a decentralized zero-knowledge (ZK) rollup. The vulnerability is categorized under CWE-664, indicating improper control of a resource through its lifetime. Specifically, this flaw causes account contracts—both vanilla and Ethereum-flavored—deployed with version 0.2.0 to become unusable on live networks, notably on the Goerli testnet. The issue arises because the contracts do not handle resource lifecycle management correctly, leading to faulty behavior that prevents normal contract operation. Importantly, this bug does not manifest within StarkNet's testing framework, which may have delayed its detection. The vulnerability affects only non-whitelisted accounts on the StarkNet mainnet and Goerli deployments using the vulnerable version. The problem has been addressed and patched in version 0.2.1 of the cairo-contracts library. There are no known exploits in the wild, and no authentication or user interaction is required to trigger the issue once the vulnerable contract is deployed. The impact is primarily on the availability and usability of the affected smart contracts, rendering them non-functional and potentially disrupting decentralized applications relying on these accounts.

For European organizations leveraging StarkNet and OpenZeppelin's cairo-contracts for decentralized application development or blockchain-based services, this vulnerability could lead to significant operational disruptions. Affected contracts may become unusable, causing service outages or loss of functionality in blockchain applications, particularly those deployed on testnets like Goerli or on mainnet accounts not whitelisted. This can impact financial transactions, identity management, or other critical blockchain services, undermining trust and reliability. Although no known exploits exist, the inability to control contract resources properly could lead to denial of service conditions or require costly redeployments and migrations to patched contract versions. Given the growing adoption of blockchain technologies in Europe, especially in fintech hubs and innovation centers, this vulnerability poses a risk to continuity and integrity of blockchain-based services if not promptly addressed.

European organizations should immediately audit their deployments of OpenZeppelin cairo-contracts, specifically checking for version 0.2.0 usage. Any contracts deployed with this version should be considered at risk and replaced or upgraded to version 0.2.1, which contains the patch. It is critical to verify whether accounts are whitelisted on StarkNet mainnet, as non-whitelisted accounts are affected. Organizations should implement continuous monitoring of smart contract versions and integrate automated dependency management tools to prevent usage of vulnerable library versions. Additionally, testing environments should be enhanced to simulate live network conditions more accurately, as the vulnerability was not detected in the existing testing framework. For ongoing deployments, consider implementing fallback mechanisms or contract upgrade patterns to mitigate potential downtime. Finally, maintain close communication with OpenZeppelin and StarkNet communities for updates and advisories.