search

code-423n4 / 2022-01-trader-joe-findings

2 stars 0 forks source link

The contracts use unlocked pragma #181

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

hyh

Vulnerability details

Impact

As different compiler versions have critical behavior specifics if the contract gets accidentally deployed using another compiler version compared to one they tested with, various types of undesired behavior can be introduced.

Proof of Concept

All the contracts in scope use unlocked pragma: pragma solidity ^0.8.0, allowing wide enough range of versions.

Examples:

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L4

https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeToken.sol#L3

Recommended Mitigation Steps

Consider locking compiler version, for example pragma solidity 0.8.6.

This can have additional benefits, for example using custom errors to save gas and so forth.

cryptofish7 commented 2 years ago

Fix: https://github.com/traderjoe-xyz/rocket-joe/pull/128

dmvt commented 2 years ago

Typically I'd consider this a non-critical issue, but in this case I'm going to call it a gas issue given the savings available by locking in a higher version of solidity.