search

hats-finance / Kintsu-0x7d70f9442af3a9a0a734fa6a1b4857f25518e9d2

Smart contracts for Kintsu
Other
0 stars 0 forks source link

Use ink! version 5.0.0 instead of 4.3.0 #24

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: @0xRizwan Twitter username: 0xRizwann Submission hash (on-chain): 0x68daf21c22efad1ffc95b8f018d14bc379ac77e31c87a78076d5a8a8332f2440 Severity: low

Description: Description\

ink! has released version 5.0.0 which comes with several fixes and changes from last version v4.3.0. ink!

ink! had be extensively audited by Openzeppelin and few High, Medium and low severity issues were found in OZ audit and the ink! 5.0.0 fixed it before official release. Openzeppelin audit report can be checked here

The kintsu ink contracts have used version 4.3.0 which can be checked and confirmed from cargo.toml.

V4.3.0 had few bugs which are fixed in v5.0.0 and in the context of the Kintsu contracts, the following are the functionalities/features which would be benefitted.

The whole v5.0.0 changelog can be checked at https://github.com/use-ink/ink/releases/tag/v5.0.0

1) Kintsu contracts have used events for transparency and for users on chain information. The version v5.0.0 brings changes to Events in the form of Events 2.0 and the details can be checked here. v5.0.0 allows sharing events between contracts. Events have been used in almost all inscope contracts.

2) nomination_agent and vault contract allows to upgrade via set_code_hash function. With version 5.0.0, the set_code_hash() is made generic. More details can be checked here

3) nomination_agent contracts has made use of call_runtime. At version 4.3.0, the call_runtime was unstable and it can be checked here and now with ink! 5.0.0, This host function is now stabilized in the pallet. More details can be checked here

and so on...

Recommended Mitigation steps\ Best security practice to avoid using versions which has bugs and lack features. It is recommended to use ink! version 5.0.0 instead of 4.3.0. It is more evident that, upgrading to version 5.0.0 has indeed more benefits along with new features, less contract size and few optimizations.

0xmahdirostami commented 1 month ago

If you encounter any “real issues” in the current contracts that should be addressed with the transition to Ink! 5.0.0, please let us know.

bgibers commented 1 month ago

If you encounter any “real issues” in the current contracts that should be addressed with the transition to Ink! 5.0.0, please let us know.

Agreed, if you find any specific issues that are security related, we will gladly pay out on this and upgrade to 5.0 😄

bgibers commented 1 month ago

Not really a bug here