Description
Hello developers. We are recently utilizing some automated tools to detect potential dependency issues. If there are any inaccuracy, we would greatly appreciate your corrections and feedback.
We noticed that there is a known problem/bug in the contract GovernorCompatibilityBravo. The GovernorCompatibilityBravo contract is a modified version from OZ library. However, it is influenced by some bugs/problems from the basic contract. According to GHSA-93hq-5wgc-jc82 and OpenZeppelin/openzeppelin-contracts#3100, this contract may trim proposal calldata because a signatures array can be shorter than the calldatas array. The influenced functions are propose and _encodeCalldata.
This issue may not directly cause any governance risk, but it may influence the user or someone who forked this repository. We realize that fixes may have to be in the next major version. However, we hope that the security advisory could be in the contract comments or documentation to facilitate users' understanding of potential issues and monitoring of actual behaviors.
Activity