Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Solidity Version Pragma is Too Wide

godwinx

Summary

The contract uses a wide Solidity version pragma (^0.8.0), which allows the contract to be compiled with any future version of Solidity starting from 0.8.0. This can introduce potential risks as new compiler versions may introduce changes, features, or bugs that were not present when the contract was initially written and tested. It is recommended to lock the pragma to a specific version to ensure stability and security.

Vulnerability Details

The issue occurs when the Solidity version is declared with a wide range, such as:

// MysteryBox.sol: line 2

pragma solidity ^0.8.0;

Explanation:
By using ^0.8.0, the contract allows the use of future versions of Solidity up to (but not including) version 0.9.0. While this can provide flexibility in upgrading to newer compiler versions, it can also lead to unintended behavior or vulnerabilities introduced in newer compiler versions that the contract was not initially tested for.

Specific Example:
Future versions of Solidity could potentially introduce new features or deprecate existing ones, leading to unexpected issues during deployment or execution.

Impact

The use of a wide pragma can result in the following risks:

Unexpected Behavior: Future Solidity versions may introduce changes in how certain operations work, causing the contract to behave differently than expected.
New Compiler Bugs: Solidity is continually updated, and new bugs may be introduced in future releases. By locking the pragma version, you avoid exposing the contract to potential bugs in versions it wasn't designed or tested for.
Security Vulnerabilities: Changes in the compiler's optimizations or security features may introduce vulnerabilities that were not present during the initial development.

Tools Used

Recommendations

To ensure security and stability, it is recommended to:

Always specify the exact compiler version that the contract was developed and tested on. This reduces the likelihood of unexpected issues arising from future compiler changes.
Only update the Solidity version pragma after thorough testing and verification on the newer compiler version.

Code Fix:

Instead of using a wide pragma version (^0.8.0), specify the exact compiler version the contract was tested with to prevent unexpected issues:

pragma solidity 0.8.0;

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.