Closed code423n4 closed 2 years ago
Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity.
I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7
Thanks @berndartmueller Downgrading to QA
Consider with #146
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L12-L13 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nBeaconProxy.sol#L4 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/proxy/nUpgradeableBeacon.sol#L4
Vulnerability details
Details
Wrapped fCash uses package
@openzeppelin/contracts
version3.4.2-solc-0.7
. In code, it importsSafeERC20
fromutils
andIERC20Metadata
fromextensions
of ERC20.But in branch
release-v3.4-solc-0.7
ofopenzeppelin-contracts
there is no folderutils
orextensions
.Proof Of Concept
Openzeppelin repo: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/release-v3.4-solc-0.7/contracts/token/ERC20
Recommended Mitigation Steps
Update openzeppelin version (e.g
4.6.0
)