Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Hardcoded Solidity Version Restricts Upgradeability and Security Patching

kineticsofweb3

1. Summary

The contract explicitly sets the Solidity compiler version to 0.8.26, which limits flexibility in upgrading to newer Solidity versions. This restriction can prevent incorporating security patches, performance improvements, and new language features introduced in later versions. Using a specific version also makes integration with other projects that rely on different versions more challenging.

2. Vulnerability Details

Description

The contract enforces Solidity version 0.8.26 strictly:

// SPDX-License-Identifier: MIT

pragma solidity 0.8.26;

This restricts the contract from compiling with any newer Solidity versions unless manually updated. If a vulnerability is discovered in 0.8.26, developers would need to modify and redeploy the contract, potentially introducing compatibility issues.

Root Cause

Using a fixed Solidity version (0.8.26) instead of a flexible range like ^0.8.0.
Lack of upgradeability planning for future Solidity improvements or security fixes.

https://github.com/Cyfrin/2025-01-diva/blob/1b6543768c341c2334cdff87b6dd627ee2f62c89/contracts/src/AaveDIVAWrapper.sol#L2

Impact

Prevents automatic adoption of security patches and compiler optimizations.
Increases maintenance burden when newer Solidity versions introduce improvements or fix vulnerabilities.
Can cause compatibility issues with external libraries and protocols using newer versions.

4. Tools Used

5. Proof of Concept (PoC) Test

To demonstrate the limitation of using a hardcoded Solidity version, I simulate a scenario where the contract cannot compile due to version constraints.

Steps to Reproduce

Try compiling the contract with a different Solidity version (e.g., 0.8.29):
npx hardhat compile --solc-version 0.8.29
Expected result: Compilation fails because the contract explicitly requires 0.8.26.

Hardhat Test to Simulate the Issue

Create a test file test/solidityVersionTest.js:

const { expect } = require("chai");

const { ethers } = require("hardhat");

describe("Solidity Version Restriction Test", function () {

it("Should fail to compile with a different Solidity version", async function () {

try {

await ethers.getContractFactory("AaveDIVAWrapper", {

solcVersion: "0.8.29",

});

} catch (error) {

expect(error.message).to.include("Compiler version mismatch");

}

});

Run the test:

npx hardhat test test/solidityVersionTest.js

If the contract enforces 0.8.26, the test will fail due to version mismatch, proving the issue.

6. Mitigation

To allow flexibility while maintaining security, modify the Solidity version declaration as follows:

pragma solidity ^0.8.0;

This allows the contract to compile with any 0.8.x version, ensuring compatibility with security updates while preventing breaking changes introduced in 0.9.x.

Additional Recommendations

Periodically review Solidity changelogs to identify important updates.
Use Hardhat or Foundry to test contract behavior across multiple compiler versions.
Implement an upgradeable proxy pattern (e.g., OpenZeppelin’s TransparentUpgradeableProxy) if long-term maintainability is a priority.

Updates

Lead Judging Commences

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!