Unsupported Opcode PUSH0 in Solidity 0.8.20 (^) for Deployment on Arbitrum Chain
Summary
The contract is set to be deployed on Arbitrum chain but the solidity version 0.8.20 (and above) has opcode PUSH0 which is not yet supported on Arbitrum, thus it cannot be deployed.
Vulnerability Details
The concern revolves around the usage of solc version 0.8.20 in the smart contract. This particular version introduces the PUSH0 opcode, which currently faces compatibility issues across all EVM chains. The contract, intended for deployment on the Arbitrum chain, encounters a hurdle as it does not support the PUSH0 opcode. The vulnerability arises from the fact that contracts compiled with solidity versions above 0.8.19 may face challenges during deployment. Even if deployment is successful, these contracts may not function correctly, leading to potential consequences.
References:
Official Arbitrum docs about Solidity support: Arbitrum Solidity Support.
Similar findings from past first flight: Codehawks Submission - 1, 2.
0xJuancito /multichain-auditor github.
Impact
The impact of using the solidity version 0.8.20 (and above) is that it comes with the PUSH0 opcode and this opcode is not supported on Arbitrum causing the smart contract to malfunction and the contract may not execute correctly.
Tools Used
Manual Review.
Recommendations
Change the Solidity compiler version to 0.8.19 or define an evm version, which is compatible across all of the intended chains to be supported by the protocol.
Example: -
ALSO:
Solidity pragma should be specific, not wide.
Consider using a specific version of Solidity in your contracts instead of a wide version.
For example, instead of pragma solidity ^0.8.19;, use pragma solidity 0.8.19;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.