Closed Florian-S-A-W closed 4 months ago
There's no critical vulnerabiliy there. It's misinformation from etherscan and dedaub. They found a pretty unserious issue in a version way prior to anything we used in production (that we almost didn't even patch)
However, you're right, we do need a good change log for our changes. thanks for flagging.
Thanks for clarifying - I noticed it on Etherscan which links to the dedaub blog post.
As far as I understand, the only difference between the UniversalRouter and UniversalRouterV1_2 contracts is that the critical vulnerability mentioned here was fixed.
Users should always use the new version, but the difference is not documented anywhere. I noticed new projects still using the old router.
I think it would make sense to add a note in the project README, a comment in the deployment address files, or both.