Open code423n4 opened 3 years ago
Disagree with severity as the Solidity version is defined in the project config as well so the risk of the contracts being deployed with the wrong version is low. Should be a 0
Marking this as low risk as unlocked pragma can lead to compiler bugs.
Handle
shw
Vulnerability details
Impact
Most of the contracts use an unlocked pragma (e.g.,
pragma solidity ^0.8.0
) which is not fixed to a specific Solidity version. Locking the pragma helps ensure that contracts do not accidentally get deployed using a different compiler version with which they have been tested the most.Proof of Concept
Referenced code: Please use
grep -R pragma .
to find the unlocked pragma statements.Recommended Mitigation Steps
Lock pragmas to a specific Solidity version. Consider the compiler bugs in the following lists and ensure the contracts are not affected by them. It is also recommended to use the latest version of Solidity when deploying contracts (see Solidity docs).
Solidity compiler bugs: Solidity repo - known bugs Solidity repo - bugs by version