Closed code423n4 closed 2 years ago
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/brownie-config.yaml#L11
The solution uses: "OpenZeppelin/openzeppelin-contracts-upgradeable@3.4.0". This dependency has a known high severity vulnerability: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176 Which makes MyStrategy contract vulnerable
contract MyStrategy is BaseStrategy, ReentrancyGuardUpgradeable { ... function initialize(address _vault) public initializer {
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/brownie-config.yaml#L11 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L56
None
Upgrade @openzeppelin/contracts to version 4.4.1 or higher.
See #90
GalloDaSballo
commented
2 years ago GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/brownie-config.yaml#L11
Vulnerability details
Impact
The solution uses: "OpenZeppelin/openzeppelin-contracts-upgradeable@3.4.0". This dependency has a known high severity vulnerability: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176 Which makes MyStrategy contract vulnerable
Proof of Concept
https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/brownie-config.yaml#L11 https://github.com/Badger-Finance/vested-aura/blob/v0.0.2/contracts/MyStrategy.sol#L56
Tools Used
None
Recommended Mitigation Steps
Upgrade @openzeppelin/contracts to version 4.4.1 or higher.