Open hats-bug-reporter[bot] opened 8 months ago
I am not sure what you mean by "no longer available". At most you could say the contracts are deprecated by openzeppelin in later versions than we are using. But this is not a vulnerability or a bug in our code, just the usual software upgrade cycle.
@jellegerbrandy Openzeppelin removed the library from its codebase and not deprecated. You can't find a link to the library anymore.
A deprecated library is one that is still present but discouraged for use, while a removed library has been completely eliminated from the codebase. Importing a non-existing library is a bug.
Or using a non-existing library is a bug.
There is no other later version of PaymentSplitter. Openzeppelin removed it completely.
These contracts remain available also when OZ does not include them in newer versions of its library. Although this may be a concern when we write new versions of our contracts, there is no problem with the contract dependencies in their current form.
@jellegerbrandy I've said severally that there is no newer version and the library doesn't exist.
It would be helpful if you could provide a link to the contract on Openzeppelin.
Github username: -- Submission hash (on-chain): 0x27de17b110a694459f49cd995d5d342d846bc1f6aa833dca7ee952308b5c5d26 Severity: high
Description: Description\ Openzeppelin has removed PaymentSplitter. Consequently, PaymentSplitterUpgradeable has also been removed by Openzeppelin.
See: https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0
This means the PaymentSplitterUpgradeable contract is no longer available and not in use anymore.
Attack Scenario\ Use of a contract not in existence anymore.
Attachments https://github.com/hats-finance/hats-contracts/blob/0d6ebbde912bc272d9b310140d434ee2aacd36d3/contracts/HATPaymentSplitter.sol#L6
https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0