Open code423n4 opened 2 years ago
Duplicate #145
Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity.
I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7
See above
As warden's QA report.
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/package.json#L14 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L35
Vulnerability details
Impact
Package.json currently uses :
This dependency has a known high severity vulnerability as mentioned here: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176
The following contract and all contracts that inherit it are vulnerable as a result:
Recommended Mitigation Steps
Upgrade @openzeppelin/contracts to version 4.4.1 or higher.