Last Man Standing

First Flight #45

Beginner FriendlyFoundrySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Floating Pragma and Unnamed Imports Risk Breaking Changes & Poor Clarity

theirrationalone

Root + Impact

Root Cause: Broad ^0.8.20 pragma and non-specific OpenZeppelin import -> Impact: Future compiler versions or updated dependencies can introduce breaking changes, subtle behavior shifts, and reduce code readability/maintainability.

Description

Floating Pragma (^0.8.20): Allows compilation with any 0.8.x or newer (but not including) 0.9.0 compiler. Future >0.8.20 releases could introduce subtle or breaking changes (new compiler optimizations or behavioral adjustments) that alter contract behavior.
Unnamed Import: Importing OpenZeppelin’s Ownable in a traditional way (import "@openzeppelin/contracts/access/Ownable.sol";) without specifying a named import is considered poor practice.

At the top of Game.sol:

// @info: floating pragma

// @danger: Breaking changes may disrupt the intended functionality

@> pragma solidity ^0.8.20;

// @info: unnamed import(s)

// @danger: worst convention therefore not following best practices

@> import "@openzeppelin/contracts/access/Ownable.sol";

Risk

Likelihood: Low

Together, these practices create a brittle foundation: redeployments, CI builds, or dependency installs at different times may yield different bytecode, causing non-deterministic behavior and harder audits.

Impact: Low (but can be an explosive in UUPs and ~ patterns)

Non-Deterministic Builds: Different developers or CI runs may produce different artifacts, complicating reproducible deployments.
Unexpected Behavior: Future compiler updates can silently alter logic, potentially introducing security regressions.
Audit Fragility: Audits performed against one set of dependencies may not cover changes introduced later, invalidating security guarantees.
Maintenance Overhead: Debugging subtle shifts between compiler/library versions consumes time and increases risk of oversight.

Tools Used:

Foundry Test Suite
Chat-GPT AI Assistance (Report Grammar Check & Improvements)
Manual Review

Proof of Concept

// no poc required

Scenario:

Compiler Change: The Solidity team introduces a new built-in compiler check in v0.8.21 that modifies how empty fallback functions are treated. Suddenly, gameNotEnded modifier logic behaves unexpectedly under ^0.8.20. (not sure)
Library Update: In dev phase Upgrading OpenZeppelin from v4.8.0 to v4.9.0 changes Ownable’s transferOwnership event signature. Off-chain scripts listening for OwnershipTransferred events fail, disrupting admin workflows.

Recommended Mitigation

Pin Pragma to Exact Version

```solidity

pragma solidity ^0.8.20;

pragma solidity 0.8.20;

-ensures all compilations use the same compiler release.

Use named Imports with Specific Versions

```solidity

import "@openzeppelin/contracts/access/Ownable.sol";

import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol@4.8.0";

-ensures the exact version of `Ownable` is used, preventing unexpected changes.

Updates

Appeal created

inallhonesty Lead Judge 30 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.