Open code423n4 opened 3 years ago
Using latest solidity version is best practice. However, upgrading to 0.7.x or 0.8.x requires significant refactoring and any braking changes in solidity could potentially introduce bugs. Also, upgrading at this stage of the project would delay launch further and may require another audit.
I'm changing the severity of the issue to non-significant as Based Loans is a fork of Compound codebase, and there are no compiler-related bugs in Compound codebase AFAIK.
Handle
0xRajeev
Vulnerability details
Impact
The project is using Solidity compiler version 0.6.12 which was released in July 2020, while the latest compiler version is 0.8.4. Using such an older version makes the project susceptible to any compiler bugs fixed or dangerous features deprecated since then, and also prevents it from leveraging the newly introduced features.
It may be recognized that this is harder for this project because it is making modifications to an existing older project (Compound) which uses compiler version 0.5.x.
Proof of Concept
https://github.com/code-423n4/2021-04-basedloans/blob/5c8bb51a3fdc334ea0a68fd069be092123212020/code/contracts/CEther.sol#L3
https://github.com/ethereum/solidity/releases/tag/v0.6.12
https://github.com/ethereum/solidity/releases/tag/v0.7.6
Tools Used
Manual Analysis
Recommended Mitigation Steps
Given Solidity’s fast release cycle, consider using a more recent version of the compiler, such as version 0.7.6.
Given that the project is already going from original Compound’s 0.5.x to 0.6.x, it may as well go to 0.7.x version. This may involve a few more breaking changes for changing from 0.6.x to 0.7.x, but there don’t seem to be that many language-level breaking features (see https://github.com/ethereum/solidity/releases/tag/v0.7.0)