Ensure Code Dependencies Are Secured

Overview

Solidity projects rely heavily on external libraries (e.g., OpenZeppelin, Uniswap libraries). While these dependencies save development time, they introduce potential attack surfaces if versions are not managed carefully.

This document explains how to pin dependencies and ensure the version used is exactly the one audited, with all known issues addressed.

1. Pin Exact Versions

Always pin the exact dependency version in your project configuration instead of using floating versions.

Examples:

Foundry: (foundry.toml):

[dependencies]
openzeppelin-contracts = { git = "https://github.com/OpenZeppelin/openzeppelin-contracts", tag = "v4.9.3" }

Solidity import:

import "@openzeppelin/[email protected]/token/ERC20/ERC20.sol";

Why:

Prevents accidental upgrades that could introduce vulnerabilities.
Ensures the audited code matches what is deployed.

2. Audit Version Verification

Security audits must specify the exact version or commit audited.
Before deployment, confirm:
1. The deployed dependency version matches the audited version.
2. Any known vulnerabilities from previous audits are patched.

Tip: Treat any code change in a dependency as a new audit scope.

3. Immutable vs Upgradeable Contracts

Immutable contracts: Dependency version must be final; any fixes require redeployment.
Upgradeable contracts: Dependency can be upgraded, but still pin versions and monitor for vulnerabilities.

PreviousVetting Process for External Tokens NextTesting

Last updated 6 months ago

Good night

hashtagOverview

hashtag1. Pin Exact Versions

hashtag2. Audit Version Verification

hashtag3. Immutable vs Upgradeable Contracts

Overview

1. Pin Exact Versions

2. Audit Version Verification

3. Immutable vs Upgradeable Contracts