SJSC04 – Outdated Third-Party Libraries (Informative)

[Reg0x]

The smart contracts analyzed inherit functionalities from open-zeppelin contracts that have been labeled obsolete and/or outdated; this does not imply a vulnerability by itself, because their logic does not present them, but it does imply that an update is not carried out by third party packages or libraries.

Currently the latest version of OpenZeppelin contracts is 4.3.2 therefore it would be convenient to include it as a reference instead of including the sources, in this way we will keep the development environment updated.

Additionally, these OpenZeppelin contracts are under the MIT license, which requires its license/copyright to be included within the code.

By using the original sources, in case the project resolves any vulnerability or bug in the code, you would obtain this update automatically. Consequently, avoiding inheriting known vulnerabilities.

Recommendations • Include third-party codes by package manager. • Include in the S-Token project any references/copyright to OpenZeppelin code, since it is under MIT license