search

hats-finance / Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77

Core smart contracts of Velvet Capital
Other
0 stars 1 forks source link

UUPSUpgradeable vulnerability in OpenZeppelin Contracts #111

Open hats-bug-reporter[bot] opened 3 months ago

hats-bug-reporter[bot] commented 3 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x87d7675b4f9018605f07ba10cce9ceb1703c550c275751bc5c7fa8a37853a51b Severity: medium

Description: Description

OpenZeppelin has identified a critical severity bug in UUPSUpgradeable. The velvet capital contracts has used openzeppelin upgradable contracts with version v^4.2.0. This is confirmed from yarn.lock

"@openzeppelin/contracts-upgradeable" "^4.2.0"

contracts that effected:

Affected versions >= 4.1.0 < 4.3.2

This issue fixed in versions 4.3.2

please check this links:

https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76

this issue is confirmed medium in Sherlock platform: https://github.com/sherlock-audit/2023-07-kyber-swap-judging/issues/25

Recommendation

Update the openzeppelin library to latest version.

langnavina97 commented 3 months ago

We're using version 4.9.6.

aktech297 commented 3 months ago

package.json#L45-L46

    "@openzeppelin/contracts": "^4.8.2",
    "@openzeppelin/contracts-upgradeable": "^4.9.6",
langnavina97 commented 3 months ago

It's not used in our contracts @aktech297