Dependency Security
This document tracks external dependencies, their security status, and countermeasures for known issues.
Pinned Versions
| Library | Commit | Tag | Audit Status |
|---|---|---|---|
| OpenZeppelin Contracts | 447a509 |
v5.x | Audited by OpenZeppelin |
| Uniswap v4-core | d153b04 |
pre-release | Audited by OpenZeppelin, Trail of Bits |
| Uniswap v4-periphery | 3779387 |
pre-release | Audited with v4-core |
| forge-std | latest | - | Testing only, not deployed |
Known Slither Findings in Dependencies
1. v4-core: divide-before-multiply in CustomRevert
Location: lib/v4-core/src/libraries/CustomRevert.sol:91
Severity: Low (informational)
Status: Accepted Risk
Analysis: This is intentional bit manipulation for error encoding, not financial math. The expression (returndatasize() + 31) / 32 * 32 rounds up to 32-byte boundary.
Countermeasure: None needed - this is correct code flagged by overzealous static analysis.
2. OpenZeppelin SafeERC20: Assembly Usage
Location: lib/openzeppelin-contracts/contracts/token/ERC20/utils/SafeERC20.sol
Severity: Informational
Status: Accepted Risk
Analysis: Assembly is used intentionally for gas optimization and handling non-standard ERC20 tokens. OpenZeppelin's code is extensively audited.
Countermeasure: None needed - this is battle-tested production code.
3. Multiple Solidity Versions
Severity: Informational Status: Accepted Risk
Analysis: External interfaces (Aave, Uniswap) use different pragma versions. Our contracts use ^0.8.24 for latest safety features.
Countermeasure: Compiler uses highest compatible version (0.8.24+).
Our Countermeasures
1. Version Pinning
All dependencies are pinned to specific git commits in foundry.toml. Updates require explicit review.
[dependencies]
openzeppelin-contracts = { version = "5.0.0", git = "https://github.com/OpenZeppelin/openzeppelin-contracts", rev = "447a509" }
2. Safe External Calls
For low-level calls (ETH transfers), we use the SafeCall pattern:
// Instead of raw call
(bool success,) = recipient.call{value: amount}("");
require(success, "Transfer failed");
// Use SafeCall with explicit gas limit
SafeCall.sendValue(recipient, amount, SAFE_GAS_LIMIT);
3. Circuit Breakers
All contracts include pause functionality:
pause()/unpause()- Owner can halt operationswhenNotPausedmodifier on critical functions- 48-hour timelock on treasury operations
4. Reentrancy Protection
- ReentrancyGuard on all state-changing functions
- CEI (Checks-Effects-Interactions) pattern enforced
- Events emitted before external calls where possible
5. Monitoring Recommendations
Pre-deployment checklist:
- Run
slither .and review all findings - Run
forge test --fuzz-runs 1000 - Verify dependency commits match pinned versions
- Check for new CVEs in dependencies
Post-deployment monitoring:
- Set up event monitoring for unusual activity
- Alert on large withdrawals (>5% TVL)
- Monitor gas prices for MEV operations
- Track dependency security advisories
Dependency Update Process
- Create branch:
chore/update-deps-YYYY-MM-DD - Update one dependency at a time
- Run full test suite
- Run Slither analysis
- Document any new findings
- Require 2 reviewer approval for merge
Security Contacts
- OpenZeppelin: security@openzeppelin.com
- Uniswap: security@uniswap.org
- Bug Bounty: See GOLDEN_PATH.md for reward tiers