GivingThanks

Root Cause and Impact

• Root Cause: The contracts are compiled with Solidity version ^0.8.0, which may default to a newer EVM version (Shanghai) in newer Solidity compilers like 0.8.20. This introduces the PUSH0 opcode, which might not be supported on all Ethereum Virtual Machine (EVM) compatible networks, especially some Layer 2 solutions.

• Impact: Deploying the contract on networks that do not support the PUSH0 opcode will fail, rendering the contract unusable on those networks.

Vulnerability Details

• Solidity Version Declaration:

  • In CharityRegistry:

    pragma solidity ^0.8.0;

  • In GivingThanks:

    pragma solidity ^0.8.0;

• Issue: Compiling with Solidity 0.8.20 or newer defaults the EVM target to Shanghai, introducing opcodes not supported on all networks.

Recommendations

• Specify EVM Version Explicitly:

  • When compiling, specify the EVM version compatible with the target network.

    solc --evm-version london ...

• Set EVM Version in Solidity Compiler Settings:

  • If using a build tool like Hardhat or Truffle, set the EVM version in the configuration file.

    // Example for Hardhat

    module.exports = {

    solidity: {

    version: "0.8.0",

    settings: {

    evmVersion: "london"

    }

    }

    };

• Update Solidity Pragma Statements:

  • Use a fixed Solidity version compatible with the target network.

    pragma solidity 0.8.17;

• Check Network Compatibility:

  • Before deployment, verify that the target network supports the EVM version and opcodes used by the compiled bytecode.

• Avoid Using Features Requiring New Opcodes:

  • Refrain from using Solidity features that introduce new opcodes unless necessary.