search

Cyfrin / 2023-07-beedle

19 stars 18 forks source link

Pragma non-specification can lead to non-functional / corrupted contract when deployed on Arbitrum #1885

Open codehawks-bot opened 1 year ago

codehawks-bot commented 1 year ago

Pragma non-specification can lead to non-functional / corrupted contract when deployed on Arbitrum

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Staking.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Lender.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Fees.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/Beedle.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/interfaces/IERC20.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/interfaces/ISwapRouter.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/utils/Errors.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/utils/Ownable.sol#L2

https://github.com/Cyfrin/2023-07-beedle/blob/main/src/utils/Structs.sol#L2

Summary

Pragma has been set to ^0.8.19 allowing the contracts to be compiled with a compiler equal or greater than 0.8.19. The problem with compiling is that Arbitrum is NOT compatible with 0.8.20 and later.

Vulnerability Details

Contracts compiled with non specified versions will result in a non-functional or potentially damaged version that won't behave as expected. The default behaviour of compiler would be to use the newest version which would mean by default it will be compiled with the 0.8.20 version which will produce broken code.

Impact

Corrupted or non-functional contracts when deployed on Arbitrum.

Tools Used

Manual Review

Recommendations

Lock or Constrain pragma as follows: pragma solidity 0.8.19 or pragma solidity >=0.8.0 <=0.8.19

Jnrlouis commented 1 year ago

[ESCALATION] @PatrickAlphaC the sponsor stated that this would be deployed on Optimism and not Arbitrium.

This issue is only valid on Arbitrium.

qckhp96565463 commented 1 year ago

[ESCALATION] It should be low as the contract can be redeployed, rest of the issues with the same finding is marked as LOW. This should be LOW as no funds at risk.

PatrickAlphaC commented 1 year ago

If they deployed it, and sent funds to it, and a part of it didn't work, that would be a high issue. I will agree, this report is not very good, as it's not clear what exactly the exploit path is, but this seems like a big issue.

Impact: HIGH Likelihood: LOW

Keeping as medium.