The current implementation of CompoundVeFNXManagedNFTStrategyUpgradeable.sol uses SafeERC20 and IERC20 from the non-upgradeable OpenZeppelin contracts. This can lead to potential issues when upgrading the contract due to the use of delegatecall in Address.sol, which SafeERC20 depends on. To ensure the contract is upgrade-safe, it is recommended to use SafeERC20Upgradeable and IERC20Upgradeable from the @openzeppelin/contracts-upgradeable repository.
Attack Scenario\
Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
Revised Code File (Optional)
replace SafeERC20 with SafeERC20Upgradeable and IERC20 with IERC20Upgradeable to ensure the contract remains upgrade-safe.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x4b5f4bccb1ff92e46d20f30d7d7af34c0e9e8b50f7a99d2d9930165e0c600861 Severity: medium
Description: Description\
The current implementation of
CompoundVeFNXManagedNFTStrategyUpgradeable.solusesSafeERC20andIERC20from the non-upgradeable OpenZeppelin contracts. This can lead to potential issues when upgrading the contract due to the use of delegatecall in Address.sol, which SafeERC20 depends on. To ensure the contract is upgrade-safe, it is recommended to use SafeERC20Upgradeable and IERC20Upgradeable from the @openzeppelin/contracts-upgradeable repository.https://github.com/OpenZeppelin/openzeppelin-upgrades/issues/455
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
replace SafeERC20 with SafeERC20Upgradeable and IERC20 with IERC20Upgradeable to ensure the contract remains upgrade-safe.