Note that mixing pragma is not recommended. Because different compiler versions have different meanings and behaviors, it also significantly raises maintenance costs. As a result, depending on the compiler version selected for any given file, deployed contracts may have security issues.
The minimum required version must be 0.8.17; otherwise, contracts will be affected by the following important bug fixes:
ABI Decoder V2: For two-dimensional arrays and specially crafted data in memory, the result of abi.decode can depend on data elsewhere in memory. Calldata decoding is not affected.
ABI Encoder: When ABI-encoding values from calldata that contain nested arrays, correctly validate the nested array length against calldatasize() in all cases.
Override Checker: Allow changing data location for parameters only when overriding external functions.
Code Generation: Fix data corruption that affected ABI-encoding of calldata values represented by tuples: structs at any nesting level; argument lists of external functions, events and errors; return value lists of external functions. The 32 leading bytes of the first dynamically-encoded value in the tuple would get zeroed when the last component contained a statically-encoded array.
Yul Optimizer: Prevent the incorrect removal of storage writes before calls to Yul functions that conditionally terminate the external EVM call.
Apart from these, there are several minor bug fixes and improvements.
2. Lack of checks address(0)
The following methods have a lack of checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than address(0).
The EIP-165 standard helps detect that a smart contract implements the expected logic, prevents human error when configuring smart contract bindings, so it is recommended to check that the received argument is a contract and supports the expected interface.
The contract GraphProxy has the following comment:
NOTE: Only the admin can call this function.
But this is not true, because the following methods use the modifier ifAdminOrPendingImpl or ifAdmin, and these modifiers will invoke _fallback if is not an admin.
Low
1. Mixing and Outdated compiler
The pragma version used are:
Note that mixing pragma is not recommended. Because different compiler versions have different meanings and behaviors, it also significantly raises maintenance costs. As a result, depending on the compiler version selected for any given file, deployed contracts may have security issues.
The minimum required version must be 0.8.17; otherwise, contracts will be affected by the following important bug fixes:
0.8.3:
0.8.4:
0.8.9:
0.8.13:
abi.encodeCall
in place of fixed bytes arguments.0.8.14:
calldatasize()
in all cases.0.8.15
bytes
arrays.0.8.16
0.8.17
Apart from these, there are several minor bug fixes and improvements.
2. Lack of checks
address(0)
The following methods have a lack of checks if the received argument is an address, it's good practice in order to reduce human error to check that the address specified in the constructor or initialize is different than
address(0)
.Affected source code:
3. Lack of checks
supportsInterface
The EIP-165 standard helps detect that a smart contract implements the expected logic, prevents human error when configuring smart contract bindings, so it is recommended to check that the received argument is a contract and supports the expected interface.
Reference:
Affected source code:
Non critical
4. Use
abstract
for base contractsabstract
contracts are contracts that have at least one function without its implementation. An instance of an abstract cannot be created.Reference:
Affected source code:
5. Wrong comment
The contract
GraphProxy
has the following comment:NOTE: Only the admin can call this function.
But this is not true, because the following methods use the modifier
ifAdminOrPendingImpl
orifAdmin
, and these modifiers will invoke_fallback
if is not an admin.Affected source code:
6. Use package with known vulenerabilities
Although not vulnerable, the version of openZeppelin used contains known vulnerabilities.
Reference:
Affected source code:
7. It's possible to call
initialize
twiceThe method
initialize
should be allowed to be called only once.Affected source code: