Outdated Compiler Version can expose the contract to bugs and vulnerabilities that have been identified and resolved already
Summary
The version of Solidity specified by the pragma in PuppyRaffle.sol is ^0.7.6. This is not ideal because
It is almost 3 years old (released on 16/Dec/2020) and has had many bugs fixed since then
Floating pragma can cause the contract to be deployed with incorrect compiler version
Vulnerability Details
Solidity v0.7.6 was released on 16/Dec/2020, making this version almost 3 years old and many bugs have been found and resolved since.
There is no new release between v0.7.6 and v0.8.0 (also release on 16/Dec/2020), and using a floating pragma, such as ^0.7.6 is considered a bad practice for contracts deployed into production by the SWC and Consensys.
Impact
It would be overwhelming for all involved to list each bug found and resolved between v0.7.6 and v0.8.22 that might cause this project to be vulnerable. There are all list in bugs.json and bugs_by_version.json. Though, there is at least one that might be a reason for concern even though it is a medium is the Keccak Caching Bug. This contract uses keccak256() to select the winnerIndex and NFT rarity.
Tools Used
Manual Review and Foundry
Recommendations
Consider upgrading the contracts and project to the latest version of solidity, which is v0.8.22 at the time of this report.
Which will also require upgrading to the latest version of openzeppelin/openzeppelin-contracts.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.