Incorrect openzeppelin version #145
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
|
Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity. I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7 |
This was referenced Jun 15, 2022
jeffywu
added
the
sponsor disputed
|
Thanks @berndartmueller |
gzeoneth
added
QA (Quality Assurance)
|
Consider with #146 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L12-L13
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nBeaconProxy.sol#L4
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nUpgradeableBeacon.sol#L4
Vulnerability details
Details
Wrapped fCash uses package
@openzeppelin/contractsversion3.4.2-solc-0.7. In code, it importsSafeERC20fromutilsandIERC20Metadatafromextensionsof ERC20.But in branch
release-v3.4-solc-0.7ofopenzeppelin-contractsthere is no folderutilsorextensions.Proof Of Concept
Openzeppelin repo: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/release-v3.4-solc-0.7/contracts/token/ERC20
Recommended Mitigation Steps
Update openzeppelin version (e.g
4.6.0)The text was updated successfully, but these errors were encountered: