Open hats-bug-reporter[bot] opened 3 months ago
Github username: -- Twitter username: -- Submission hash (on-chain): 0x87d7675b4f9018605f07ba10cce9ceb1703c550c275751bc5c7fa8a37853a51b Severity: medium
Description: Description
OpenZeppelin has identified a critical severity bug in UUPSUpgradeable. The velvet capital contracts has used openzeppelin upgradable contracts with version v^4.2.0. This is confirmed from yarn.lock
"@openzeppelin/contracts-upgradeable" "^4.2.0"
contracts that effected:
Affected versions >= 4.1.0 < 4.3.2
This issue fixed in versions 4.3.2
please check this links:
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
this issue is confirmed medium in Sherlock platform: https://github.com/sherlock-audit/2023-07-kyber-swap-judging/issues/25
Recommendation
Update the openzeppelin library to latest version.
We're using version 4.9.6.
package.json#L45-L46
"@openzeppelin/contracts": "^4.8.2", "@openzeppelin/contracts-upgradeable": "^4.9.6",
It's not used in our contracts @aktech297
Github username: -- Twitter username: -- Submission hash (on-chain): 0x87d7675b4f9018605f07ba10cce9ceb1703c550c275751bc5c7fa8a37853a51b Severity: medium
Description: Description
OpenZeppelin has identified a critical severity bug in UUPSUpgradeable. The velvet capital contracts has used openzeppelin upgradable contracts with version v^4.2.0. This is confirmed from yarn.lock
contracts that effected:
Affected versions >= 4.1.0 < 4.3.2
This issue fixed in versions 4.3.2
please check this links:
https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76
this issue is confirmed medium in Sherlock platform: https://github.com/sherlock-audit/2023-07-kyber-swap-judging/issues/25
Recommendation
Update the openzeppelin library to latest version.