Consider Disabling Inherited _cancel Function In The Governor Contracts

Lines of code Vulnerability details Impact The currently used openzeppelin upgradeable contracts dependency @openzeppelin/contracts-upgradeable is v4.7.3 The security council management contracts are inheriting the openzeppelin GovernorUpgradeable contracts to manage proposals. This version of...

[NAZ-M1] No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...

[H1] Some admins functions are unusable because of misuse of variables in upgradeable contracts

Lines of code Vulnerability details Impact ​ Admin functions in NFTCollectionFactor.sol are unusable through a proxy Proof of Concept ​ Upgradeable contracts cannot use neither constructors nor use immutable variables. The reason for that is they work behind a proxy which calls them using...

NO STORAGE GAP FOR UPGRADEABLE CONTRACT MIGHT LEAD TO STORAGE SLOT COLLISION

Lines of code Vulnerability details NO STORAGE GAP FOR UPGRADEABLE CONTRACT MIGHT LEAD TO STORAGE SLOT COLLISION Impact For upgradeable contracts, there must be storage gap to “allow developers to freely add new state variables in the future without compromising the storage compatibility with...

No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...

No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision

Lines of code Vulnerability details Impact For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" quote OpenZeppelin. Otherwise it may be very difficult to...

Denial of services in proxy context by setting immutable privileged addresses in constructor in upgradeable contracts

Lines of code Vulnerability details Impact Privileged immutable addresses in LenderPool such as POOLEDCREDITLINE, SAVINGSACCOUNT and VERIFICATION are set in the constructor in the logic contract. These values are run at the time of deployment and affect only the local storage of the logic contrac...

constructor function used with upgradeable contracts

Lines of code Vulnerability details Impact In FETH.sol it uses Open Zeppelin upgradeable contracts in the file while also including a constructor function. Upgradeable contracts should have an initialize function instead of a constructor in order not the clash with one another. Proof of Concept...

CVE-2021-41264

OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...

CVE-2021-41264

OpenZeppelin CVE-2021-41264 affects upgradeable contracts using UUPSUpgradeable due to uninitialized implementation contracts. The vulnerability is addressed in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable. If upgrading is not possible, a mitigation is to initi...

UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable

Impact Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon. Patches A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeabl...