Rock Paper Scissors

First Flight #38

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unspecific and Unlocked Solidity Compiler Version Exposing Known Critical Bugs

ddeenny

Summary

The RockPaperScissors and WinningToken contracts specify the Solidity version as ^0.8.13, which includes known compiler-level bugs affecting program behavior and security. While these issues may not manifest immediately, they introduce subtle risks—especially in contracts involving Ether transfers, low-level calls, or complex storage manipulations. Failing to upgrade may leave the contract vulnerable to edge-case bugs that have since been patched in later versions of Solidity.

Additionally, using a caret (^) version specifier can result in compiling against unintended future versions. This undermines audit guarantees, since contract behavior may subtly change with compiler upgrades.

Vulnerability Details

// SPDX-License-Identifier: MIT

// @audit-issue Solidity version ^0.8.13 contains known critical bugs

@> pragma solidity ^0.8.13;

Issue Explanation

Using ^0.8.13 introduces exposure to the following known bugs:

VerbatimInvalidDeduplication
FullInlinerNonExpressionSplitArgumentEvaluationOrder
MissingSideEffectsOnSelectorAccess
StorageWriteRemovalBeforeConditionalTermination
AbiReencodingHeadOverflowWithStaticArrayCleanup
DirtyBytesArrayToStorage
InlineAssemblyMemorySideEffects
DataLocationChangeInInternalOverride
NestedCalldataArrayAbiReencodingSizeValidation

These bugs are documented on the Solidity GitHub Bug Tracker.

Additionally, the caret specifier ^ allows any compiler version up to (but not including) 0.9.0, which may introduce breaking changes in newer compiler versions outside of the developer’s control.

Impact

Silent Logic Errors: State updates or function behavior may silently fail without reverting.
Compiler-Induced Bugs: Contracts may behave differently on different compiler versions despite identical code.
Long-Term Incompatibility: Future toolchains, verifiers, or auditors may reject outdated or imprecisely-versioned compiler targets.
Undermines Audit Integrity: Audits lose their validity if contracts are later compiled under different versions than originally audited.

Tools Used

Slither
Aderyn

Recommendations

Upgrade all contracts to a patched and stable version of Solidity (e.g., 0.8.24) and explicitly lock the compiler version using an exact match, not a caret:

// Recommended safe compiler version (locked)

pragma solidity 0.8.24;

After updating, recompile and re-audit the contracts to ensure no new warnings, incompatibilities, or unexpected behavior are introduced by the upgraded compiler version.

Updates

Appeal created

m3dython Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Floating Pragma

m3dython Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Floating Pragma

Rewards breakdown

nSLOC

349

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.