Root + Impact

Description

• Smart contracts should use a specific, locked compiler version (e.g., pragma solidity 0.8.24;) to ensure deterministic bytecode and avoid known bugs present in older or newer compiler versions. All contracts in a system should use the same version.

• Specific Issue: The codebase uses "floating" pragmas (^) which allow compiling with any future version. Furthermore, there is a significant inconsistency: IERC20.sol allows any version from 0.8.0 upwards, while other files require ^0.8.24. This allows IERC20.sol to be compiled with obsolete and buggy versions (e.g., 0.8.13 which had severe storage corruption bugs).

Risk

Likelihood:

• The deployer uses a default hardhat/foundry configuration that selects an older compiler version (e.g., 0.8.4) for IERC20.sol because the pragma allows it.

• A future compiler version (e.g., 0.8.26) introduces a breaking change or a new bug, and the contracts are automatically compiled with it because of the ^ symbol.

Impact:

• Security Vulnerabilities: Compiling IERC20.sol with versions like 0.8.13 or 0.8.14 exposes the contract to known compiler bugs (e.g., "Optimizer Bug Regarding Memory Side Effects") even if the Solidity code itself is correct.

• Non-Deterministic Builds: The bytecode generated on deployment may differ from the bytecode tested during the audit if the compiler version is not strictly locked.

Proof of Concept

Recommended Mitigation