search

code-423n4 / 2022-06-notional-coop-findings

1 stars 1 forks source link

Incorrect openzeppelin version #145

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L12-L13 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nBeaconProxy.sol#L4 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nUpgradeableBeacon.sol#L4

Vulnerability details

Details

Wrapped fCash uses package @openzeppelin/contracts version 3.4.2-solc-0.7. In code, it imports SafeERC20 from utils and IERC20Metadata from extensions of ERC20.

But in branch release-v3.4-solc-0.7 of openzeppelin-contracts there is no folder utils or extensions.

Proof Of Concept

Openzeppelin repo: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/release-v3.4-solc-0.7/contracts/token/ERC20

Recommended Mitigation Steps

Update openzeppelin version (e.g 4.6.0)

berndartmueller commented 2 years ago

Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity.

I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7

gzeoneth commented 2 years ago

Thanks @berndartmueller Downgrading to QA

gzeoneth commented 2 years ago

Consider with #146