The project uses 4.1.0 for both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable but OpenZeppelin has flagged them as versions with critical severity vulnerability:
Which is Low severity there, but has been voted as a High in a C4 contest before https://github.com/code-423n4/2022-04-jpegd-findings/issues/227. In the current project we are using an initializer modifier only in NounsAuctionHouse.sol in its initialize method, and even though the contract is out of scope it is still good to mitigate this vulnerability.
Impact
The potential impact with using old/stale library versions is to hit the already reported critical severity bugs in them.
Recommendation
Upgrade @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to their latest versions.
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/package.json#L32-L33
Vulnerability details
Proof of Concept
The project uses
4.1.0
for both@openzeppelin/contracts
and@openzeppelin/contracts-upgradeable
but OpenZeppelin has flagged them as versions with critical severity vulnerability:https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
Also in those versions you have this vulnerability as well
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx
Which is
Low
severity there, but has been voted as aHigh
in a C4 contest before https://github.com/code-423n4/2022-04-jpegd-findings/issues/227. In the current project we are using aninitializer
modifier only inNounsAuctionHouse.sol
in itsinitialize
method, and even though the contract is out of scope it is still good to mitigate this vulnerability.Impact
The potential impact with using old/stale library versions is to hit the already reported critical severity bugs in them.
Recommendation
Upgrade
@openzeppelin/contracts
and@openzeppelin/contracts-upgradeable
to their latest versions.