GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Different and wide versions of solidity are used possibly resulting in consistent compilation

trashpirate

Summary

The use of caret in the pragma statements allows different versions of Solidity to be used to compile the contracts. This can lead to deployment instability, unexpected behavior and compilation issues.

2 Found Instances:

  • Found in src/CharityRegistry.sol Line: 2

    pragma solidity ^0.8.0;

  • Found in src/GivingThanks.sol Line: 2

    pragma solidity ^0.8.0;

Vulnerability Details

Using a caret version for the pragma statement allows different versions to be used to compile the contracts. Solc compiler version 0.8.20, which is used for the library Openzeppelin, switches the default target EVM version to Shanghai, which means that the generated bytecode will include PUSH0 opcodes. Be sure to select the appropriate EVM version in case you intend to deploy on a chain other than mainnet like L2 chains that may not support PUSH0, otherwise deployment of your contracts will fail.

Slither output:

Different versions of Solidity are used:
- Version used: ['^0.8.0', '^0.8.20']
- ^0.8.0 (src/CharityRegistry.sol#3)
- ^0.8.0 (src/GivingThanks.sol#3)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/access/Ownable.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/interfaces/IERC165.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/interfaces/IERC4906.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/interfaces/IERC721.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/interfaces/draft-IERC6093.sol#3)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/ERC721.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/IERC721.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/IERC721Receiver.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/extensions/ERC721URIStorage.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/extensions/IERC721Metadata.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/token/ERC721/utils/ERC721Utils.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Base64.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Context.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Panic.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Strings.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/introspection/ERC165.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/introspection/IERC165.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/math/Math.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/math/SafeCast.sol#5)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/math/SignedMath.sol#4)

Impact

Unspecified solidity version can lead to deployment instability, unexpected behavior and compilation issues. It can also lead to deployment issues on chains that do not support PUSH0 which is included in solc version 0.8.20.

Tools Used

Foundry, Slither, Aderyn, manual review

Recommendations

Specify the exact version of Solidity in the pragma statement that is compatible with the codebase and used dependencies. For example, use pragma solidity 0.8.0; instead of pragma solidity ^0.8.0;. Make sure the used solidity version is compatible with the dependencies. Also make sure correct EVM version is selected in case of deployment on L2 chains.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.