First Flight #7: Horse Store

Summary

The contract is set to be deployed on Arbitrum chain but the solidity version 0.8.20 has opcode PUSH0 which is not yet supported on Arbitrum, thus it cannot be deployed.

Vulnerability Details

The concern is regarding the usage of solc version 0.8.20 in the smart contract. The version exhibits the PUSH0 opcode and is currently not supported across all EVM chains. The contract is required to be deployed on Arbitrum chain, but it doesn't support the PUSH0 opcode. The vulnerability here is that the contracts compiled with solidity versions above 0.8.19 will not be able to deploy, or even if they are able to deploy then may not function properly and may lead to other consequences.

It is important to mention that this report is valid as of 18/01/2024 and Arbitrum is expected tu fully support PUSH0 (Shanghai) by the end of this month (27th of January).

References:

• Official Arbitrum docs about Solidity support: https://docs.arbitrum.io/for-devs/concepts/differences-between-arbitrum-ethereum/solidity-support

• Tweet about full PUSH0 support on Arbitrum: ohttps://x.com/ArbitrumDevs/status/1745198708155715976?s=20

• Similar finding from a past first flight: https://www.codehawks.com/submissions/clq5cx9x60001kd8vrc01dirq/28

• Security Analysis of Smart Contract Migration from Ethereum to Arbitrum: https://arxiv.org/abs/2307.14773

Impact

The impact of using the solidity version 0.8.20 is that it comes with the PUSH0 opcode and this opcode is not supported on Arbitrum causing the smart contract to malfunction and the contract may not execute correctly.

Tools Used

Manual review.

Recommendations

PUSH0 opcode comes with 0.8.20 and higher versions, therefore switching to 0.8.19 will make the smart contract fully compatible to be deployed on Arbitrum chain.

• HorseStore.sol

• IHorseStore.sol