search

hats-finance / Intuition-0x538dbadc50cc87b281cd655f1edbc6ebda02a66a

The smart contracts of the Intuition protocol v1.
https://intuition.systems
Other
0 stars 1 forks source link

Contracts using floating pragma #63

Open hats-bug-reporter[bot] opened 5 months ago

hats-bug-reporter[bot] commented 5 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x7eab7f2fb6837d2516e7b494d658617f0d003ebb5116b00b3030a4f8fff48220 Severity: low

Description: Description\ Both AtomWallet.sol and EthMultiVault.sol have used pragma solidity ^0.8.21; version.

An outdated compiler version might introduce the vulnerabilities which can affect the contracts negatively or recently released pragma versions may have unknown security vulnerabilities.

Using an outdated compiler version can be problematic especially if there are publicly disclosed bugs and issues mentioned here can affect the current compiler version.

Solidity bugs fixes for each version can be checked at https://github.com/ethereum/solidity/releases

Recommendation to fix\ Contracts should be deployed with same solidity version and Lock the solidity version in contracts and avoid using floating pragma version.

For example, if contracts intends to deployed with 0.8.21 then:

- pragma solidity ^0.8.21;
+ pragma solidity 0.8.21;
mihailo-maksa commented 5 months ago

The reported issue regarding the use of floating pragma in AtomWallet.sol and EthMultiVault.sol has been reviewed. Here is our comprehensive perspective:

Issue Description: The issue points out that the contracts use floating pragma (^0.8.21), which might introduce vulnerabilities due to potential changes in the compiler's behavior in future versions. It is recommended to lock the solidity version to avoid unexpected issues.

Impact: Using a floating pragma can lead to unexpected behavior if a new compiler version introduces changes or bugs. Locking the version ensures that the contract is compiled with a specific version, providing consistency and predictability.

Conclusion: While locking the pragma version can be considered a best practice for ensuring consistency, the use of a floating pragma is not a security vulnerability. Our default compiler settings for deployment are set to use a specific version (v0.8.21+commit.d9974bed), and we want to allow flexibility for external developers to use any version higher than that if they prefer. Therefore, we do not see value in the suggested enhancement.

Status: This issue is invalid.