GivingThanks

Summary: A floating pragma specifies a range of compiler versions for compiling a smart contract but does not control the compiler version directly; it only prompts a version check. If the compiler version doesn’t match, an error occurs. Using a strict pragma (by specifying an exact compiler version) is recommended to avoid deploying contracts with outdated compilers, which might contain unresolved bugs.

Vulnerability Details:

1. Shifting to an older compiler version: An older compiler version may contain disclosed public vulnerabilities of the latest security checks and fixed vulnerabilities. In the case of floating Pragma, shifting to an older one is a possibility because of the range of compilers compatible with the code.

2. Using a very recent compiler version: As an older version can have missing security fixes, a new compiler version can be susceptible to undiscovered vulnerabilities.

3. Use of multiple pragma versions across different files: Using different versions across different files can cause code inconsistency leading to unknown security issues.

Impact:

Using different versions across different files can cause code inconsistency leading to unknown security issues.

Tools Used :

Manual Research

Recommendations:

The first and foremost way of coming across floating Pragma is using a strict and locked pragma version for your solidity code across all contracts. Preferably, the version should be neither too old nor too recent to have security bugs attached to them.