zhongeric
commented
1 year ago Hi, thanks for opening this issue. We're aware of the vulnerabilities listed in previous versions of OZ contracts. However, we don't use any contracts that interface with the vulnerable contracts listed.
I'm submitting a ... [ x] bug report [ ] feature request [ ] question about the decisions made in the repository [ ] question about how to use this project
Summary
Hi, I've encountered a critical dependency issue related to the usage of OpenZeppelin contracts (version <=4.9.1) within the smart-contract router. Several vulnerabilities have been identified, and I believe it's essential to address these to ensure the security and stability of the project. Other information
Vulnerabilities Detected: SignatureChecker may revert on invalid EIP-1271 signers. Details GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals. Details ERC165Checker may revert instead of returning false. Details Vulnerable to ECDSA signature malleability. Details Cross-chain utilities for Arbitrum L2 see EOA calls as cross-chain calls. Details TransparentUpgradeableProxy clashing selector calls may not be delegated. Details GovernorCompatibilityBravo may trim proposal calldata. Details Governor proposal creation may be blocked by frontrunning. Details Using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees. Details ERC165Checker unbounded gas consumption. Details Suggested Fix: The npm audit fix --force command suggests installing @uniswap/smart-order-router@2.0.1, which is a breaking change. Affected Modules: The issue affects multiple modules, including @uniswap/smart-order-router, @uniswap/universal-router-sdk, @uniswap/v3-periphery, @uniswap/v3-staker, and others. Impact: These vulnerabilities may lead to unexpected behavior, security risks, and potential loss of funds for users interacting with the affected contracts. Recommendation: I strongly recommend reviewing the identified vulnerabilities and updating the dependencies to secure versions. Coordination with the OpenZeppelin team and other affected projects may also be beneficial. Please let me know if you need any further information or assistance in resolving this issue.