OpenZeppelin Contracts issues reported by Slither

The question to openzeppeling team

I use openzeppeling-contracts 3.0

Initializable,
ERC20PresetMinterPauserUpgradeable,
OwnableUpgradeable

Slither analysis gives many issues from critical to medium

And compilation warnings:

Do I need to bother?
Is it audited at all?

1 Like

Hi @dmdv,

Slither is reporting that the reserved storage gap __gap shadows the other gaps in inherited contracts. For information on the gap please see the following: https://docs.openzeppelin.com/contracts/3.x/upgradeable#storage_gaps

As the storage gap is only used to reserve space I don’t think shadowing is an issue.

I assume you are compiling with Solidity 0.7.

In Solidity 0.7 visibility ( public / external ) is not needed for constructors anymore.
See: https://docs.soliditylang.org/en/v0.8.0/070-breaking-changes.html#functions-and-events

If you want to use Solidity 0.7, you may prefer to install @openzeppelin/contracts@solc-0.7
For the combination of upgradeable contracts and Solidity 0.7, use @openzeppelin/contracts-upgradeable@solc-0.7
From: OpenZeppelin Contracts 3.3

You appear to have a mix of upgradeable and non-upgradeable contracts. For upgradeable contracts you should use OpenZeppelin Contracts Upgradeable, see: https://docs.openzeppelin.com/contracts/3.x/upgradeable

I would go through all of the reported issues/warnings and either resolve or decide why it doesn’t need to be resolved. I would suggest documenting this for your community.

Last full audit on v2.0.0, see: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/audit

1 Like

I believe the warning about the gap variables is a bug in Slither. There is no shadowing because the variables are private. Unless they consider that shadowing as well? @dmdv Do you want to report this to Slither or should we do it?

1 Like

The warnings about unused function parameters are a nuisance, sorry about that. We have an issue to fix it. https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/issues/89

1 Like

Slither is an automated tool.

That gives loads of indications.

Your job as developer is to assess which warnings are actionable.

Not all warnings need to be acted upon.

1 Like

I’ve fixed the gap warning by moving to the 0.7.0 solc version of openzeppeling contracts.

But only this is remaining

1 Like

That’s a compiler warning that we haven’t fixed yet. It’s nothing to worry about, but it is annoying.

2 Likes