Lack of fixed version for dependencies can lead to unexpected bugs or supply chain attacks
Description
The current Makefile installs dependencies without specifying the version to be downloaded. This means that by default, the latest versions of the dependencies will be downloaded without considering if they are compatible with the project. Additionally, if the GitHub repository of any of the dependencies is compromised, the entire project could be compromised as well during the next make install or make command. This vulnerability becomes particularly concerning when new users start using the project.
Impact
If any of the dependencies are compromised or if a new version includes a bug, the code could be compromised or behave unexpectedly. In this case, both libraries are well-known dependencies that undergo extensive review, making the likelihood of such incidents very low. However, it is important to note that supply chain attacks, although rare, can have a significant impact. Moreover, this contract is designed to be deployed many times in the future, which means also when new versions of the dependencies will be available. Therefore, I have classified this vulnerability as low severity.
Recommended Mitigation
To address this issue, it is recommended to specify the exact versions of the dependencies in the Makefile to ensure consistency and stability. Here is an example of the recommended changes:
By specifying the version numbers, you ensure that the project uses the tested and compatible versions of the dependencies, reducing the risk of unexpected bugs or supply chain attacks.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.