Root + Impact

Description

• The project specify openzeppelin-contracts and foundry-rs/forge-st as dependencies.

• But these dependencies are not check-in as git submodules in the git repository. Potential issues is that when developers just run forge install OpenZeppelin/openzeppelin-contracts without paying attention to the version number, it may download the dependency version that is not exactly the same as one when the project is being developed and tested.

Risk

Likelihood:

• After one checks out the project even with git clone --recurse-submodules https://github.com/CodeHawks-Contests/2026-03-NFT-dealers.git, running forge build will fail as dependent submodules don't exist.

Impact:

• May cause unexpected/inconsistent dependent contracts' versions downloaded which may expose unexpected behaviors on the project.

Proof of Concept

The expected openzeppelin contract version is v5.5.0 (as defined in foundry.lock), but amateur developers could merely run forge install foundry-rs/forge-std and download whatever version that is prevalent at the time, which may cause unexpected behavior of the project.

Recommended Mitigation

Referring back to foundry.lock, we add back the required dependencies into the project. we see forge-std version is specified to be v1.15.0 and openzeppelin-contracts version v5.5.0.