Steadefi

Summary

PUSH0 introduced from 0.8.20 is not supported on Arbitrum

Vulnerability Details

All contracts make use of 0.8.21; from 0.8.20 PUSH0 was introduced. Although this finding is regarded as known issue. It only focuses on justifying that it does not cause any compile, runtime issues and ignores the following issues

The lack of PUSH0 on Arbitrum results in different bytecode between the chains which can lead to "the differences in bytecode between versions can impact the deterministic nature of contract addresses, potentially breaking counterfactuality". As stated in this finding
https://solodit.xyz/issues/m-04-project-may-fail-to-be-deployed-to-chains-not-compatible-with-shanghai-hardfork-code4rena-ambire-ambire-git

Impact

Potentially breaks counterfactuality, can impact wallets relying on similar bytecode, may impact front ends or other offchain tooling that may use one bytecode e.g on Avalanche to apply for aspects related to Arbitrum wrongly etc

Tools Used

Manual Analysis

Recommendations

Change the Solidity version to 0.8.19 to ensure similar bytecode across all contracts and compatibility across all supported chains