search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Incorrect Import Directory For OpenZeppelin's `PausableUpgradable` Contract #87

Closed c4-submissions closed 10 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/RSETH.sol#L9

Vulnerability details

Impact

The contract fails to compile and cannot be deployed.

Proof of Concept

The RsEth.sol and other files contains this line:

import { PausableUpgradeable } from "@openzeppelin/contracts-upgradeable/security/PausableUpgradeable.sol";

However, OpenZeppelin's PausableUgpradable.sol is in ./utils not ./security. Check the github repo here:

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/tree/master/contracts

This means that no import for the PausableUpgradable contract is performed.

Tools Used

Manual Review

Recommended Mitigation Steps

Replace security with utils

import { PausableUpgradeable } from "@openzeppelin/contracts-upgradeable/utils/PausableUpgradeable.sol";

Assessed type

Library

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as primary issue

raymondfam commented 11 months ago

Contract deployment would have already failed if Incorrect Import had been entailed.

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid