The audited contract inherits the functionalities of OpenZeppelin contracts
however, it has been included in the code by copying them rather than by
package manager. This is not recommended by OpenZeppelin, though not
necessarily incorrect
.
By using the original sources, in case the project resolves any vulnerability or
bug in the code, we would obtain this update automatically, avoiding inheriting
known vulnerabilities. Additionally, these OpenZeppelin contracts are under the
MIT license, which requires its license/copyright to be included within the code.
For this reason, we highly recommend including the reference or copyright in the
audited project.
It has been verified that in certain files from the OpenZeppelin repository, such
as AccessControl, ECDSA, Strings o Counter, that there are relevant differences
compared to the current repository; which means that there is outdated code
from third-parties, this is a bad practice during any development since bugs could
be fixed in the code of the project that contains it and are not applied to our code
if the official package is not used.
Recommendations
• Include third-party codes by package manager.
• Include any references/copyright to OpenZeppelin code in the S-Token
project, since it is under MIT license
The audited contract inherits the functionalities of OpenZeppelin contracts however, it has been included in the code by copying them rather than by package manager. This is not recommended by OpenZeppelin, though not necessarily incorrect . By using the original sources, in case the project resolves any vulnerability or bug in the code, we would obtain this update automatically, avoiding inheriting known vulnerabilities. Additionally, these OpenZeppelin contracts are under the MIT license, which requires its license/copyright to be included within the code. For this reason, we highly recommend including the reference or copyright in the audited project.
It has been verified that in certain files from the OpenZeppelin repository, such as AccessControl, ECDSA, Strings o Counter, that there are relevant differences compared to the current repository; which means that there is outdated code from third-parties, this is a bad practice during any development since bugs could be fixed in the code of the project that contains it and are not applied to our code if the official package is not used.