search

hats-finance / HATs-Arbitration-Contracts-0x79a618f675857b45934ca1c413fd5f409cf89735

MIT License
0 stars 0 forks source link

PaymentSplitter.sol and consequently PaymentSplitterUpgradeable.sol has been removed by Openzeppelin #67

Open hats-bug-reporter[bot] opened 8 months ago

hats-bug-reporter[bot] commented 8 months ago

Github username: -- Submission hash (on-chain): 0x27de17b110a694459f49cd995d5d342d846bc1f6aa833dca7ee952308b5c5d26 Severity: high

Description: Description\ Openzeppelin has removed PaymentSplitter. Consequently, PaymentSplitterUpgradeable has also been removed by Openzeppelin.

See: https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0

This means the PaymentSplitterUpgradeable contract is no longer available and not in use anymore.

Attack Scenario\ Use of a contract not in existence anymore.

Attachments https://github.com/hats-finance/hats-contracts/blob/0d6ebbde912bc272d9b310140d434ee2aacd36d3/contracts/HATPaymentSplitter.sol#L6

  1. Proof of Concept (PoC) File

    https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v5.0.0

jellegerbrandy commented 8 months ago

I am not sure what you mean by "no longer available". At most you could say the contracts are deprecated by openzeppelin in later versions than we are using. But this is not a vulnerability or a bug in our code, just the usual software upgrade cycle.

ololade97 commented 8 months ago

@jellegerbrandy Openzeppelin removed the library from its codebase and not deprecated. You can't find a link to the library anymore.

A deprecated library is one that is still present but discouraged for use, while a removed library has been completely eliminated from the codebase. Importing a non-existing library is a bug.

ololade97 commented 8 months ago

Or using a non-existing library is a bug.

ololade97 commented 8 months ago

There is no other later version of PaymentSplitter. Openzeppelin removed it completely.

jellegerbrandy commented 7 months ago

These contracts remain available also when OZ does not include them in newer versions of its library. Although this may be a concern when we write new versions of our contracts, there is no problem with the contract dependencies in their current form.

ololade97 commented 7 months ago

@jellegerbrandy I've said severally that there is no newer version and the library doesn't exist.

ololade97 commented 7 months ago

It would be helpful if you could provide a link to the contract on Openzeppelin.