alcueca
commented
3 years ago This is a repository of utility contracts, to be used in several projects. The pragma is locked in the core contracts, but these must remain unlocked for reusability. OpenZeppelin does the same.
ghoul-sol
Handle
shw
Vulnerability details
Impact
Unlocked/floating pragmas are found in the
TimeLockandEmergencyBrakecontracts. Locking the pragma helps ensure that contracts are not deployed using an outdated compiler version with unfixed bugs accidentally.Proof of Concept
Referenced code: TimeLock.sol#L4 EmergencyBrake.sol#L3
Recommended Mitigation Steps
Lock pragmas to a specific Solidity version. Consider the compiler bugs in the following links and ensure that they do not affect the contracts. It is also recommended to use the latest version of Solidity when writing and deploying contracts (see Solidity docs).
Related links: Solidity repo - known bugs Solidity repo - bugs by version