Inconsistent solidity pragma

[code423n4]

Handle

maplesyrup

Vulnerability details

Impact

The source files have different solidity compiler ranges referenced. This leads to potential security flaws between deployed contracts depending on the compiler version chosen for any particular file. It also greatly increases the cost of maintenance as different compiler versions have different semantics and behavior.

Proof of Concept

This defect has numerous surfaces at https://github.com/code-423n4/2021-05-nftx/tree/main/nftx-protocol-v2/contracts/solidity

Different versions of Solidity are used in :

• Version used: ['0.6.8', '>=0.4.22<0.9.0', '>=0.4.24<0.7.0', '>=0.6.0<0.8.0', '>=0.6.2<0.8.0', '^0.6.0', '^0.6.8']
• 0.6.8 (contracts/solidity/NFTXEligiblityManager.sol#2)
• ABIEncoderV2 (contracts/solidity/NFTXEligiblityManager.sol#3)
• ^0.6.8 (contracts/solidity/NFTXFeeDistributor.sol#3)
• 0.6.8 (contracts/solidity/NFTXLPStaking.sol#3)
• 0.6.8 (contracts/solidity/NFTXVaultFactoryUpgradeable.sol#3)
• 0.6.8 (contracts/solidity/NFTXVaultUpgradeable.sol#3)
• 0.6.8 (contracts/solidity/StakingTokenProvider.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXDeferEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXDenyEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXListEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXMintRequestEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXRangeEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/NFTXUniqueEligibility.sol#3)
• 0.6.8 (contracts/solidity/eligibility/UniqueEligibility.sol#2)

• =0.6.0<0.8.0 (contracts/solidity/interface/IERC165Upgradeable.sol#3)

• 0.6.8 (contracts/solidity/interface/IERC3156Upgradeable.sol#3)
• 0.6.8 (contracts/solidity/interface/INFTXEligibility.sol#2)
• 0.6.8 (contracts/solidity/interface/INFTXEligibilityManager.sol#1)
• ^0.6.8 (contracts/solidity/interface/INFTXFeeDistributor.sol#3)
• 0.6.8 (contracts/solidity/interface/INFTXLPStaking.sol#3)
• 0.6.8 (contracts/solidity/interface/INFTXVault.sol#3)
• 0.6.8 (contracts/solidity/interface/INFTXVaultFactory.sol#3)
• 0.6.8 (contracts/solidity/interface/IPrevNftxContract.sol#3)
• 0.6.8 (contracts/solidity/interface/IRewardDistributionToken.sol#3)
• 0.6.8 (contracts/solidity/interface/IVaultTokenUpgradeable.sol#3)
• 0.6.8 (contracts/solidity/proxy/BeaconProxy.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/proxy/ClonesUpgradeable.sol#3)

• 0.6.8 (contracts/solidity/proxy/IBeacon.sol#3)

• =0.4.24<0.7.0 (contracts/solidity/proxy/Initializable.sol#3)

• 0.6.8 (contracts/solidity/proxy/Proxy.sol#3)
• 0.6.8 (contracts/solidity/proxy/UpgradeableBeacon.sol#3)
• 0.6.8 (contracts/solidity/testing/MockStakingProvider.sol#3)
• 0.6.8 (contracts/solidity/testing/MockVault.sol#2)
• ^0.6.0 (contracts/solidity/token/ERC1155HolderUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/token/ERC20BurnableUpgradeable.sol#3)

• 0.6.8 (contracts/solidity/token/ERC20FlashMintUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/token/ERC20Upgradeable.sol#3)

• ^0.6.0 (contracts/solidity/token/ERC721HolderUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/token/IERC1155ReceiverUpgradeable.sol#3)

• =0.6.2<0.8.0 (contracts/solidity/token/IERC1155Upgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/token/IERC20Upgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/token/IERC721ReceiverUpgradeable.sol#3)

• =0.6.2<0.8.0 (contracts/solidity/token/IERC721Upgradeable.sol#3)

• 0.6.8 (contracts/solidity/token/RewardDistributionTokenUpgradeable.sol#2)
• 0.6.8 (contracts/solidity/util/Address.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/ContextUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/EnumerableSetUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/OwnableUpgradeable.sol#3)

• 0.6.8 (contracts/solidity/util/PausableUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/ReentrancyGuardUpgradeable.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/SafeERC20Upgradeable.sol#3)

• 0.6.8 (contracts/solidity/util/SafeMathInt.sol#3)

• =0.6.0<0.8.0 (contracts/solidity/util/SafeMathUpgradeable.sol#3)

• =0.4.22<0.9.0 (node_modules/hardhat/console.sol#2)

Tools Used

Slither

Recommended Mitigation Steps

Fix a definite compiler range that is consistent between contracts and upgrade any affected contracts to conform to the specified compiler.

[0xKiwi]

We have updated everything to 0.8.x.