search

code-423n4 / 2023-10-party-findings

6 stars 4 forks source link

Using Solidity 0.8.20 and the Shanghai EVM version will break deployment on Base and the deterministic nature of addresses #297

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-party/blob/b23c65d62a20921c709582b0b76b387f2bb9ebb5/contracts/party/PartyGovernance.sol#L2

Vulnerability details

Impact

All contracts in the codebase use solidity 0.8.20 and foundry.toml has evm_version = 'shanghai'. The protocol team has stated that they will be deploying on Ethereum mainnet and Base mainnet.

With Solidity version 0.8.20 and evm_version = 'shanghai', Solidity uses the new PUSH0 opcode.

The issue is that Base mainnet doesn't support the PUSH0 opcode yet. Because of this, produced bytecode from the contracts won't be compatible with Base mainnet, as they still don't support the Shanghai hard fork.

This could also become a problem if different versions of Solidity/EVM are used to compile contracts for different chains. The differences in bytecode between versions can impact the deterministic nature of contract addresses.

Tools Used

Manual Review

Recommended Mitigation Steps

Either change the pragma across all files to 0.8.19 or change the evm_version inside foundry.toml to paris and use the same configuration to deploy on both Ethereum and Base.

Assessed type

Other

c4-pre-sort commented 1 year ago

ydspa marked the issue as duplicate of #532

c4-pre-sort commented 1 year ago

ydspa marked the issue as insufficient quality report

c4-judge commented 1 year ago

gzeon-c4 changed the severity to QA (Quality Assurance)