Summary

Currently the project utilizes Solidity version 0.8.24, which introduces the PUSH0 opcode as part of the Shanghai hard fork. While the development team aims for compatibility with EVM-compatible networks such as Arbitrum, Optimism etc. the use of this Solidity version may produce bytecode that is not supported by all targeted networks.

Vulnerability Details

Issue with PUSH0 Opcode

• Context: The PUSH0 opcode, introduced in Solidity 0.8.20 is part of the EVM changes in the Shanghai hard fork.

• Problem: Not all EVM-compatible networks have adopted the Shanghai hard fork. Consequently, the bytecode produced with PUSH0 may not be executable on networks that have not implemented these changes.

Impact

1. Incompatible Deployments:

   • Contracts compiled with Solidity 0.8.24 may fail to deploy or execute on networks that do not support the Shanghai hard fork due to the presence of the PUSH0 opcode.

Tools Used

Manual code review

Recommendations

1. Change Solidity Compiler Version:

   • Action: Downgrade to Solidity version 0.8.19 or earlier.

   • Rationale: This will avoid the use of the PUSH0 opcode and ensure compatibility across all EVM-compatible networks, regardless of their adoption of the Shanghai hard fork.

2. Define EVM Version in Compiler Configuration:

   • Action: Explicitly specify an EVM version in the compiler settings that is widely supported across all targeted networks.

   • Reference: Utilize resources such as the Foundry documentation to configure the evm_version setting (see Foundry EVM version configuration).