Reg0x
commented
3 years ago Recommendations • Include third-party codes by package manager. • Include any references/copyright to OpenZeppelin code in the S-Token project, since it is under MIT license
Open Reg0x opened 3 years ago
Reg0x
commented
3 years ago Recommendations • Include third-party codes by package manager. • Include any references/copyright to OpenZeppelin code in the S-Token project, since it is under MIT license
The audited contract inherits the functionalities of OpenZeppelin contracts however, it has been included in the code by copying them rather than by package manager. This is not recommended by OpenZeppelin, though not necessarily incorrect . By using the original sources, in case the project resolves any vulnerability or bug in the code, we would obtain this update automatically, avoiding inheriting known vulnerabilities. Additionally, these OpenZeppelin contracts are under the MIT license, which requires its license/copyright to be included within the code. For this reason, we highly recommend including the reference or copyright in the audited project.
It has been verified that in certain files from the OpenZeppelin repository, such as AccessControl, ECDSA, Strings o Counter, that there are relevant differences compared to the current repository; which means that there is outdated code from third-parties, this is a bad practice during any development since bugs could be fixed in the code of the project that contains it and are not applied to our code if the official package is not used.