The project uses 4.1.0 for both @openzeppelin/contracts and @openzeppelin/contracts-upgradeable but OpenZeppelin has flagged them as versions with critical severity vulnerability:
Which is Low severity there, but has been voted as a High in a C4 contest before https://github.com/code-423n4/2022-04-jpegd-findings/issues/227. In the current project we are using an initializer modifier only in NounsAuctionHouse.sol in its initialize method, and even though the contract is out of scope it is still good to mitigate this vulnerability.
Impact
The potential impact with using old/stale library versions is to hit the already reported critical severity bugs in them.
Recommendation
Upgrade @openzeppelin/contracts and @openzeppelin/contracts-upgradeable to their latest versions.
davidbrai
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/c1c7c6201d0247f92472419ff657b570f9104565/package.json#L32-L33
Vulnerability details
Proof of Concept
The project uses
4.1.0for both@openzeppelin/contractsand@openzeppelin/contracts-upgradeablebut OpenZeppelin has flagged them as versions with critical severity vulnerability:https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
Also in those versions you have this vulnerability as well
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9c22-pwxw-p6hx
Which is
Lowseverity there, but has been voted as aHighin a C4 contest before https://github.com/code-423n4/2022-04-jpegd-findings/issues/227. In the current project we are using aninitializermodifier only inNounsAuctionHouse.solin itsinitializemethod, and even though the contract is out of scope it is still good to mitigate this vulnerability.Impact
The potential impact with using old/stale library versions is to hit the already reported critical severity bugs in them.
Recommendation
Upgrade
@openzeppelin/contractsand@openzeppelin/contracts-upgradeableto their latest versions.