Open code423n4 opened 2 years ago
https://github.com/code-423n4/2022-04-jpegd/blob/main/package.json#L18-L19
The solution uses:
"@openzeppelin/contracts": "^4.0.0", "@openzeppelin/contracts-upgradeable": "^4.3.2",
These dependencies have a known high severity vulnerability:
Which makes these contracts vulnerable:
contracts/helpers/CryptoPunksHelper.sol: 19: function initialize(address punksAddress) external initializer { contracts/helpers/EtherRocksHelper.sol: 19: function initialize(address rocksAddress) external initializer { contracts/staking/JPEGStaking.sol: 21: function initialize(IERC20Upgradeable _jpeg) external initializer { contracts/vaults/FungibleAssetVaultForDAO.sol: 71: ) external initializer { contracts/vaults/NFTVault.sol: 149: ) external initializer {
Upgrade @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.
@openzeppelin/contracts
@openzeppelin/contracts-upgradeable
Fixed in https://github.com/jpegd/core/pull/11
Closed by mistake.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/main/package.json#L18-L19
Vulnerability details
Impact
The solution uses:
These dependencies have a known high severity vulnerability:
Which makes these contracts vulnerable:
Recommended Mitigation Steps
Upgrade
@openzeppelin/contracts
and@openzeppelin/contracts-upgradeable
to version 4.4.1 or higher.