robrobbins
commented
2 years ago compiler is locked in contracts, which are all the same.
libs have ^8.x.x.x
Open code423n4 opened 2 years ago
robrobbins
commented
2 years ago compiler is locked in contracts, which are all the same.
libs have ^8.x.x.x
Different solidity compiler is used for some of the contracts. Creator: Compounding.sol , Creator.sol, Interfaces.sol , LibFuse.sol , Protocols.sol,VaultTracker.sol - pragma solidity 0.8.13; Erc20.sol , IRedeemer.sol- pragma solidity ^0.8.0; FixedPointMathLib.sol - pragma solidity >=0.8.0; LibCompound.sol - pragma solidity >=0.8.4; ZcToken.sol - pragma solidity ^0.8.4; IERC5095.sol - pragma solidity ^0.8.0;
Similarly, Markeplace, Vaulttracker are also have the same way of compiling.
Contracts should be deployed with the same compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler which may have higher risks of undiscovered bugs. Contracts may also be deployed by others and the pragma indicates the compiler version intended by the original authors.
The study says that locking the compiler version would be safe. Please refer the following recommendation. https://consensys.net/blog/developers/solidity-best-practices-for-smart-contract-security/ https://swcregistry.io/docs/SWC-103 https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/locking-pragmas/ https://github.com/ConsenSys/smart-contract-best-practices/issues/125
Though it is high cause of concern to me, instead of marking this as high/medium, I am placing this in QA for judges to decide on this.