search

sherlock-audit / 2024-06-makerdao-endgame-judging

5 stars 3 forks source link

tsueti_ - UUPSUpgradeable vulnerability in OpenZeppelin Contracts #5

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

tsueti_

High

UUPSUpgradeable vulnerability in OpenZeppelin Contracts

Summary

UUPSUpgradeable vulnerability in OpenZeppelin Contracts

Vulnerability Detail

Openzeppelin has found the critical severity bug in UUPSUpgradeable. The Makerdao Endgame contracts have used openzeppelin upgrabable contracts with version ^1.20.6. This is confirmed from the package.json.

`"@openzeppelin/docs-utils": "^0.1.5",`
`"@openzeppelin/test-helpers": "^0.5.13",`
`"@openzeppelin/upgrade-safe-transpiler": "^0.3.32",`
`"@openzeppelin/upgrades-core": "^1.20.6",`

The UUPSUpgradeable vulnerability has been found in openzeppelin version as follows,

@openzeppelin/contracts : Affected versions >= 4.1.0 < 4.3.2 @openzeppelin/contracts-upgradeable : >= 4.1.0 < 4.3.2

However, openzeppelin has fixed this issue in version 4.3.2

Openzeppelin bug acceptance and fix: check here

The following contract is affected due to this vulnerability

SNst.sol

This contract is UUPSUpgradeable and the issue needs to be fixed.

Impact

Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts.

Code Snippet

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/723f8cab09cdae1aca9ec9cc1cfa040c2d4b06c1/package.json#L60C1-L63C46

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/sdai/src/SNst.sol#L23

Tool used

Manual Review

Recommendation

sunbreak1211 commented 3 months ago

The version used is v5.0.2, which is not vulnerable. Check out the submodule commits in the lib folder. Even the package.json you linked to say version 5.0.2.