search

hats-finance / illuminex-0x0bb4aa1f58719707405c231fcdf0b405714799cf

0 stars 1 forks source link

Floating Pragma in Solidity Contracts #5

Open hats-bug-reporter[bot] opened 4 months ago

hats-bug-reporter[bot] commented 4 months ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0xb13279bb4b8fa82f37df5fc5a224a112ef3c445b5b8d8b04d5e19c832748685f Severity: low

Description: Description\ The Solidity contracts in the repository, including BitcoinTransactionsVerifier.sol, contain a floating pragma (pragma solidity ^0.8.0;). Floating pragmas can lead to potential issues as they allow the contract to be compiled with any version of the compiler that matches the specified range. This can introduce inconsistencies and unexpected behavior if the compiler version changes. Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional)

Update the pragma statement to a fixed version to ensure consistent compilation and behavior.

rotcivegaf commented 4 months ago

Informational

batmanBinary commented 4 months ago

hey @party-for-illuminati ,

The Xengine-BTC codebase uses floating pragmas in all the contracts. The use of floating pragmas can lead to several potential issues, including:

  1. Inconsistent Compilation: Different compiler versions may produce different bytecode, leading to unexpected behavior.
  2. Security Vulnerabilities: Newer compiler versions might introduce vulnerabilities or lack important security fixes.
  3. Deployment Issues: Changes in compiler versions between development and deployment can cause discrepancies.

and more...

Considering the impact that floating pragmas can have on all the contracts, I have submitted this issue as low severity. Similar issues have been marked as valid low severity in previous contests,

https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/issues/158

https://github.com/hats-finance/Safe-0x2909fdefd24a1ced675cb1444918fa766d76bdac/issues/17

Addressing this issue by specifying a fixed compiler version will enhance the reliability, security, and maintainability of the contracts. Thank you for considering this issue. Addressing it could significantly improve the robustness of the codebase.

rotcivegaf commented 4 months ago

It's a good practice, so it's informational The fact is what in hardhat.config.ts the pragma is defined

But the sponsor have the last word

batmanBinary commented 4 months ago

@party-for-illuminati ,

hey @party-for-illuminati ,

The Xengine-BTC codebase uses floating pragmas in all the contracts. The use of floating pragmas can lead to several potential issues, including:

  1. Inconsistent Compilation: Different compiler versions may produce different bytecode, leading to unexpected behavior.
  2. Security Vulnerabilities: Newer compiler versions might introduce vulnerabilities or lack important security fixes.
  3. Deployment Issues: Changes in compiler versions between development and deployment can cause discrepancies.

and more...

Considering the impact that floating pragmas can have on all the contracts, I have submitted this issue as low severity. Similar issues have been marked as valid low severity in previous contests,

hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb#158

hats-finance/Safe-0x2909fdefd24a1ced675cb1444918fa766d76bdac#17

Addressing this issue by specifying a fixed compiler version will enhance the reliability, security, and maintainability of the contracts. Thank you for considering this issue. Addressing it could significantly improve the robustness of the codebase.

party-for-illuminati commented 4 months ago

@party-for-illuminati ,

hey @party-for-illuminati , The Xengine-BTC codebase uses floating pragmas in all the contracts. The use of floating pragmas can lead to several potential issues, including:

  1. Inconsistent Compilation: Different compiler versions may produce different bytecode, leading to unexpected behavior.
  2. Security Vulnerabilities: Newer compiler versions might introduce vulnerabilities or lack important security fixes.
  3. Deployment Issues: Changes in compiler versions between development and deployment can cause discrepancies.

and more... Considering the impact that floating pragmas can have on all the contracts, I have submitted this issue as low severity. Similar issues have been marked as valid low severity in previous contests, hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb#158 hats-finance/Safe-0x2909fdefd24a1ced675cb1444918fa766d76bdac#17 Addressing this issue by specifying a fixed compiler version will enhance the reliability, security, and maintainability of the contracts. Thank you for considering this issue. Addressing it could significantly improve the robustness of the codebase.

It is just informational