ewilz
commented
11 months ago There's no critical vulnerabiliy there. It's misinformation from etherscan and dedaub. They found a pretty unserious issue in a version way prior to anything we used in production (that we almost didn't even patch)
However, you're right, we do need a good change log for our changes. thanks for flagging.
Florian-S-A-W
As far as I understand, the only difference between the UniversalRouter and UniversalRouterV1_2 contracts is that the critical vulnerability mentioned here was fixed.
Users should always use the new version, but the difference is not documented anywhere. I noticed new projects still using the old router.
I think it would make sense to add a note in the project README, a comment in the deployment address files, or both.