Code4renaCODE423N4:2022-06-BADGER-FINDINGS-ISSUES-15Update initializer modifier to prevent reentrancy during initialization
Lines of code
<https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/brownie-config.yaml#L19>
<https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L56>
Vulnerability details
#Proof of Concept
<https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/brownie-config.yaml#L19>
The code uses:
@openzeppelin-contracts-upgradeable=OpenZeppelin/[email protected]/contracts/
This dependency have a known high severity vulnerability:
- <https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2320177>
- <https://snyk.io/test/npm/@openzeppelin/contracts-upgradeable/4.3.2#SNYK-JS-OPENZEPPELINCONTRACTSUPGRADEABLE-2320177>
- <https://snyk.io/test/npm/@openzeppelin/contracts/4.0.0#SNYK-JS-OPENZEPPELINCONTRACTS-2320176>
Which makes the main contract in this audit βMyStrategyβ vulnerable during initialization:
<https://github.com/Badger-Finance/vested-aura/blob/d504684e4f9b56660a9e6c6dfb839dcebac3c174/contracts/MyStrategy.sol#L56>
Recommended Mitigation Steps
Upgrade @openzeppelin/contracts-upgradeable to version 4.4.1 or higher.
(and upgrade @openzeppelin/contracts to version 4.4.1 or higher, if in use elsewhere)
The text was updated successfully, but these errors were encountered:
All reactions