Summary

For most source-units the compiler version pragma is very unspecific . While this often makes sense for libraries to allow them to be included with multiple different versions of an application, it may be a security risk for the actual application implementation itself.

Vulnerability Details

A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up actually checking a different evm compilation that is ultimately deployed on the blockchain.

Impact

Low

Tools Used

Manual review code

Recommendations

Avoid floating pragmas. Use a single stable version.