(Low) Deploy CNft as an upgradable contract by proxy
(Low) floating pragma
(Low) Deploy CNft as an upgradable contract by proxy
Impact
In CNftTest.ts, it deploys CNft without using a proxy contract. Use a proxy contract to deploy CNft for an upgradable contract, or it’s not necessary to use @openzeppelin/contracts-upgradeable.
Summary
We list 2 low-critical findings:
CNft
as an upgradable contract by proxy(Low) Deploy
CNft
as an upgradable contract by proxyImpact
In
CNftTest.ts
, it deploysCNft
without using a proxy contract. Use a proxy contract to deployCNft
for an upgradable contract, or it’s not necessary to use@openzeppelin/contracts-upgradeable
.Proof of Concept
CNft.sol uses
ReentrancyGuardUpgradeable
andOwnableUpgradeable
: https://github.com/bunkerfinance/bunker-protocol/blob/752126094691e7457d08fc62a6a5006df59bd2fe/contracts/CNft.sol#L16Tools Used
vim
Recommended Mitigation Steps
Use proxy to deploy: https://docs.openzeppelin.com/upgrades-plugins/1.x/hardhat-upgrades Or there’s no need to use upgradable contracts
ReentrancyGuardUpgradeable
andOwnableUpgradeable
, useReentrancyGuard
andOwnable
instead.(Low) floating pragma
Impact
Floating pragma may cause unexpected compilation time behaviour and introduce unintended bugs.
Proof of Concept
Tools Used
vim
Recommended Mitigation Steps
Don't use
^
, lock pragma to ensure compiler version. e.g.pragma solidity 0.8.0;