The usage of an older Solidity version (0.7.6) results in using an older OpenZeppelin contracts version (3.4.2-solc-0.7) which has well-known vulnerabilities which can lead to exploits
Summary
The usage of an older Solidity version (0.7.6) results in using an older OpenZeppelin contracts version (3.4.2-solc-0.7) which has well-known vulnerabilities which can lead to exploits.
Vulnerability Details
The PuppyRaffle.sol contract pragma specifies ^0.7.6, which was the latest Solidity version for the 0.7 major release. The use of the most OpenZeppelin recent OpenZeppelin contracts version compatible with Solidity 0.7, requires the ]3.4.2-solc-0.7 package](https://www.npmjs.com/package/@openzeppelin/contracts/v/3.4.2-solc-0.7) of OpenZeppelin. This package has critical and high vulnerabilities as listed and described here
Impact
High - the vulnerabilities include DoS, so the protocol's ability to remain operational is at stake.
Tools Used
VS Code
npm OpenZeppelin contracts
Recommendations
At a minimum, upgrade Solidity to 0.8 version and OpenZeppelin to 4.8.3 version. This would plug the Critical and High vulnerabilities. For maximum security, upgrade to Solidity 0.8.20 and OpenZeppelin 5.0.0 which eliminates all known vulnerabilities.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.