Usage of Vulnerable Package Versions

[hats-bug-reporter[bot]]

Github username: @notbozho Twitter username: 0xBozho Submission hash (on-chain): 0x672f502b0c0487934097d70465b9bc2555876e0c6983bdee2f74365876d59124 Severity: low

Description: Description\ The project utilizes vulnerable versions of the @openzeppelin/contracts package, which exposes it to multiple security risks. These vulnerabilities range from moderate to high severity and affect various components of the contract, potentially leading to unexpected behaviors and security breaches. The use of these outdated libraries can lead to issues such as incorrect ABI encoding, signature verification failures, and reentrancy problems.

Impact\ The vulnerabilities in the outdated @openzeppelin/contracts package versions can lead to several security issues:

• Governance attacks: Incorrect ABI encoding may lead to the execution of governance actions with unintended effects.
• Signature failures: Vulnerabilities in SignatureChecker could lead to denial of service or incorrect validation of signatures.
• Reentrancy and initialization risks: Certain functions may be susceptible to reentrancy attacks or may not initialize correctly, posing a significant risk to the security and integrity of the contract.

Vulnerable Package Details

1. GovernorCompatibilityBravo incorrect ABI encoding - GHSA-m6w8-fq7v-ph4m - MODERATE
2. SignatureChecker may revert on invalid EIP-1271 signers - GHSA-4g63-c64m-25w9 - HIGH
3. Initializer reentrancy may lead to double initialization - GHSA-9c22-pwxw-p6hx - MODERATE
4. GovernorVotesQuorumFraction updates to quorum may affect past defeated proposals - GHSA-xrc4-737v-9q75 - HIGH
5. ERC165Checker may revert instead of returning false - GHSA-qh9x-gcfh-pcrw - HIGH
6. ECDSA signature malleability - GHSA-4h98-2769-gh6h - HIGH
7. Improper Initialization in OpenZeppelin - GHSA-93hq-5wgc-jc82 - HIGH
8. GovernorCompatibilityBravo may trim proposal calldata - GHSA-9c22-pwxw-p6hx - MODERATE
9. ERC165Checker unbounded gas consumption - GHSA-7grf-83vw-6f5x - MODERATE
10. Improper Escaping of Output - GHSA-g4vp-m682-qqmp - MODERATE
11. TransparentUpgradeableProxy clashing selector calls may not be delegated - GHSA-mx2q-35m2-x2rh - MODERATE
12. Governor proposal creation may be blocked by frontrunning - GHSA-5h3x-9wvq-w4m2 - MODERATE

Recommendations

• Upgrade Packages: Update @openzeppelin/contracts to the latest stable versions that have addressed these vulnerabilities. For instance, upgrading to version

  4.8.3 or higher where applicable.

• Code Audit and Testing: Conduct thorough security audits and testing to ensure that updates do not introduce additional vulnerabilities.

• Monitor Security Advisories: Regularly monitor security advisories for any newly reported vulnerabilities in the libraries being used.

[PlamenTSV]

The package versions inside the project's package.json feature: "@openzeppelin/contracts": "^4.9.3", "@openzeppelin/contracts-upgradeable": "^4.9.3" Version 4.9.3 of OZ libraries has no reported live vulnerabilities, except for a Base64 encoding, which is not featured in the project.