erasure-protocol icon indicating copy to clipboard operation
erasure-protocol copied to clipboard
verified publisher icon erasureprotocol

Third-party code is not attributed

Open fulldecent opened this issue 6 years ago • 0 comments

Some third-party code is copy-pasted into the project but it is not attributed.

Copy-pasting leads to the risk that code will become (or has been) stale. By attributing code, it is easier to check that the latest versions are being used. This includes Spawner.sol, whose primary home appears to be outside of this project.

Recommendation: Add a comment like the following at the top for all copy-pasted code:

// From https://github.com/OpenZeppelin/openzeppelin-contracts
// openzeppelin-contracts/contracts/token/ERC20/IERC20.sol
// at commit 49042f2b1ae76eb9befa12000b98211981a139ec

Additional notes: yes, even OZ (especially OZ) makes mistakes and I’ve seen vulnerabilities or other problems come from failing to do this.

References:

  • One example: https://github.com/erasureprotocol/erasure-protocol/blob/4a3d98ce023a264a9f3c7ba62ef77a9207bba5fe/contracts/helpers/openzeppelin-solidity/math/SafeMath.sol#L1-L6

fulldecent avatar Nov 18 '19 16:11 fulldecent