Notional x Index Coop - ayeslick's results

A collaboration between Notional and Index Coop to create fixed rate yield index tokens.

General Information

Platform: Code4rena

Start Date: 07/06/2022

Pot Size: $75,000 USDC

Total HM: 11

Participants: 77

Period: 7 days

Judge: gzeon

Total Solo HM: 7

Id: 124

League: ETH

Notional

Findings Distribution

Researcher Performance

Rank: 63/77

Findings: 1

Award: $88.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Notional

Findings Information

🌟 Selected for report: berndartmueller

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkatana, 0xmint, Bronicle, Chom, Cityscape, Deivitto, Funen, GimelSec, GreyArt, IllIllI, JC, Lambda, Meera, Nethermind, Picodes, PierrickGT, Ruhum, Sm4rty, Tadashi, TerrierLover, TomJ, Trumpero, Waze, _Adam, antonttc, ayeslick, c3phas, catchup, cccz, cloudjunky, cryptphi, csanuragjain, delfin454000, dipp, ellahi, fatherOfBlocks, hake, hansfriese, hyh, joestakey, jonah1005, kenzo, minhquanym, oyc_109, sach1r0, saian, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, z3s, zzzitron

Awards

88.1437 USDC - $88.14

Labels

bug

QA (Quality Assurance)

sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/package.json#L14 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/notional-wrapped-fcash/contracts/wfCashBase.sol#L35

Vulnerability details

Impact

Package.json currently uses :

"@openzeppelin/contracts": "^3.4.2-solc-0.7",

This dependency has a known high severity vulnerability as mentioned here: https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2320176

The following contract and all contracts that inherit it are vulnerable as a result:

wfCashBase.sol:35  function initialize(uint16 currencyId, uint40 maturity) external override initializer

Recommended Mitigation Steps

Upgrade @openzeppelin/contracts to version 4.4.1 or higher.

#0 - berndartmueller
2022-06-15T09:47:06Z

Duplicate #145

Brownie is used to install dependencies and compile the contracts, using this outdated version declared in the package.json does not impose any risks qualified as medium severity.

I submitted this finding as low in #215 - [L-08] Contracts are using outdated OpenZeppelin version ^3.4.2-solc-0.7

#1 - jeffywu
2022-06-15T12:33:20Z

See above

#2 - gzeoneth
2022-06-26T12:47:02Z

https://github.com/code-423n4/2022-06-notional-coop-findings/issues/145

#3 - gzeoneth
2022-06-26T16:01:35Z

As warden's QA report.

Notional x Index Coop - ayeslick's results

A collaboration between Notional and Index Coop to create fixed rate yield index tokens.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-60] QA Report - $88.14

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Recommended Mitigation Steps

#0 - berndartmueller2022-06-15T09:47:06Z

#1 - jeffywu2022-06-15T12:33:20Z

#2 - gzeoneth2022-06-26T12:47:02Z

#3 - gzeoneth2022-06-26T16:01:35Z

#0 - berndartmueller
2022-06-15T09:47:06Z

#1 - jeffywu
2022-06-15T12:33:20Z

#2 - gzeoneth
2022-06-26T12:47:02Z

#3 - gzeoneth
2022-06-26T16:01:35Z