Importing contacts from Openzeppelin with v0.8.20 can cause problems while deploying on Polygon and other L2
Summary
Solidity v0.8.20 introduced a new PUSH0 opcode which is still not supported by the major L2 including the polygon POS where the project is supposed to be deployed.
Vulnerability Details
The project is importing contracts from the Openzeppelin latest release where they are using solidity v0.8.20.This version comes with the new opcode PUSH0 which is still not supported by major L2s including polygon POS. There was a discussion on the Openzeppelin forum regarding this Read More
This type of major update can break the system in a instance and it is often ignored by developers so highly recommed to take the mitigation step to avoid this.
More information
https://wiki.polygon.technology/docs/supernets/operate/supernets-requirements/#:~:text=SOLIDITY%20V0.8.19%20OR,v0.8.19%20or%20earlier.
https://www.zaryabs.com/push0-opcode/
Impact
Deploying on the chain without the opcode support can lead to the DOS of the system.
Tools Used
manual Review
Recommendations
Some common mitigation to avoid this issue are when deploying to L2s
Downgrading the openzeppelin version to 0.8.19 or less
Customize the solc to use the paris hard fork instead of the default Shanghai to avoid including the new opcode
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.