Note that mixing pragma is not recommended. Because different compiler versions have different meanings and behaviors, it also significantly raises maintenance costs. As a result, depending on the compiler version selected for any given file, deployed contracts may have security issues.
The minimum required version must be 0.8.17; otherwise, contracts will be affected by the following important bug fixes:
ABI Decoder V2: For two-dimensional arrays and specially crafted data in memory, the result of abi.decode can depend on data elsewhere in memory. Calldata decoding is not affected.
ABI Encoder: When ABI-encoding values from calldata that contain nested arrays, correctly validate the nested array length against calldatasize() in all cases.
Override Checker: Allow changing data location for parameters only when overriding external functions.
Code Generation: Fix data corruption that affected ABI-encoding of calldata values represented by tuples: structs at any nesting level; argument lists of external functions, events and errors; return value lists of external functions. The 32 leading bytes of the first dynamically-encoded value in the tuple would get zeroed when the last component contained a statically-encoded array.
Yul Optimizer: Prevent the incorrect removal of storage writes before calls to Yul functions that conditionally terminate the external EVM call.
Apart from these, there are several minor bug fixes and improvements.
2. Lack of checks address(0)
The following methods have a lack of checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than address(0).
The EIP-165 standard helps detect that a smart contract implements the expected logic, prevents human error when configuring smart contract bindings, so it is recommended to check that the received argument is a contract and supports the expected interface.
The contract GraphProxy has the following comment:
NOTE: Only the admin can call this function.
But this is not true, because the following methods use the modifier ifAdminOrPendingImpl or ifAdmin, and these modifiers will invoke _fallback if is not an admin.
trust1995
commented
1 year ago
Low
1. Mixing and Outdated compiler
The pragma version used are:
Note that mixing pragma is not recommended. Because different compiler versions have different meanings and behaviors, it also significantly raises maintenance costs. As a result, depending on the compiler version selected for any given file, deployed contracts may have security issues.
The minimum required version must be 0.8.17; otherwise, contracts will be affected by the following important bug fixes:
0.8.3:
0.8.4:
0.8.9:
0.8.13:
abi.encodeCallin place of fixed bytes arguments.0.8.14:
calldatasize()in all cases.0.8.15
bytesarrays.0.8.16
0.8.17
Apart from these, there are several minor bug fixes and improvements.
2. Lack of checks
address(0)The following methods have a lack of checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than
address(0).Affected source code:
3. Lack of checks
supportsInterfaceThe EIP-165 standard helps detect that a smart contract implements the expected logic, prevents human error when configuring smart contract bindings, so it is recommended to check that the received argument is a contract and supports the expected interface.
Reference:
Affected source code:
Non critical
4. Use
abstractfor base contractsabstractcontracts are contracts that have at least one function without its implementation. An instance of an abstract cannot be created.Reference:
Affected source code:
5. Wrong comment
The contract
GraphProxyhas the following comment:NOTE: Only the admin can call this function.But this is not true, because the following methods use the modifier
ifAdminOrPendingImplorifAdmin, and these modifiers will invoke_fallbackif is not an admin.Affected source code:
6. Use package with known vulenerabilities
Although not vulnerable, the version of openZeppelin used contains known vulnerabilities.
Reference:
Affected source code:
7. It's possible to call
initializetwiceThe method
initializeshould be allowed to be called only once.Affected source code: