search

code-423n4 / 2022-06-notional-coop-findings

1 stars 1 forks source link

INITIALIZER MODIFIER IS SUSCEPTIBLE TO REENTRANCY DURING INITIALIZATION #106

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/package.json#L14 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L35

Vulnerability details

Impact

Package.json currently uses :

"@openzeppelin/contracts": "^3.4.2-solc-0.7",

 

This dependency has a known high severity vulnerability as mentioned here: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176

 

The following contract and all contracts that inherit it are vulnerable as a result:

wfCashBase.sol:35  function initialize(uint16 currencyId, uint40 maturity) external override initializer

 

Recommended Mitigation Steps

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

berndartmueller commented 2 years ago

Duplicate #145

Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity.

I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7

jeffywu commented 2 years ago

See above

gzeoneth commented 2 years ago

https://github.com/code-423n4/2022-06-notional-coop-findings/issues/145

gzeoneth commented 2 years ago

As warden's QA report.