Open code423n4 opened 1 year ago
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
juice-nft-rewards\JB721Delegate.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JB721GlobalGovernance.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JB721TieredGovernance.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBBitmap.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBIpfsDecoder.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBTiered721Delegate.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBTiered721DelegateDeployer.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBTiered721DelegateProjectDeployer.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBTiered721DelegateStore.sol::2 => pragma solidity ^0.8.16; juice-nft-rewards\JBTiered721FundingCycleMetadataResolver.sol::2 => pragma solidity ^0.8.16;
Avoid floating pragmas for non-library contracts. It is recommended to pin to a concrete compiler version.
_safeMint()
_mint()
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver.
IERC721Receiver
juice-nft-rewards\JBTiered721Delegate.sol::461 => _mint(_reservedTokenBeneficiary, _tokenId); juice-nft-rewards\JBTiered721Delegate.sol::504 => _mint(_beneficiary, _tokenId); juice-nft-rewards\JBTiered721Delegate.sol::635 => _mint(_beneficiary, _tokenId); juice-nft-rewards\JBTiered721Delegate.sol::677 => _mint(_beneficiary, _tokenId);
Use either OpenZeppelin's or solmate's version of this function.
Picodes marked the issue as grade-b
QA Issues found
[L-01] Unspecific Compiler Version Pragma
Impact
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
Findings:
Recommendation
Avoid floating pragmas for non-library contracts. It is recommended to pin to a concrete compiler version.
[L-02]
_safeMint()
should be used rather than_mint()
wherever possible.Impact
_mint()
is discouraged in favor of_safeMint()
which ensures that the recipient is either an EOA or implementsIERC721Receiver
.Findings:
Recommendation
Use either OpenZeppelin's or solmate's version of this function.