Update initializer modifier to prevent reentrancy during initialization #81
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/package.json#L17
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/legos/Governable.sol#L5
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/legos/Governable.sol#L24
Vulnerability details
Impact
While Governable.sol is out of scope, I figured this issue would still be fair game.
The solution uses:
"@openzeppelin/contracts": "4.2.0"
.This dependency has a known high severity vulnerability: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176
Which makes this contract vulnerable:
This contract is inherited at multiple places:
ìnitializer()` is used here:
Recommended Mitigation Steps
Upgrade
@openzeppelin/contracts
to version 4.4.1 or higher.The text was updated successfully, but these errors were encountered: