🛥️Informational Vulnerability 1: Floating Pragmas

Book an audit with Zokyo

Introduction: In the world of Solidity, the use of the pragma directive defines which versions of the Solidity compiler the code is compatible with. However, the use of floating pragma versions, signified by a caret (^), means the code can compile with any new version of the compiler up to, but not including, the next major version. This could inadvertently introduce breaking changes or unexpected behaviors as new compiler versions are released. In this tutorial, we'll discuss why it's a best practice to lock your pragma to a specific version and how to do it.

Concept: Floating pragmas can lead to inconsistent behaviors if contracts are compiled at different times with different compiler versions. To maintain code stability, it's recommended to lock the compiler version by specifying a particular version without using the caret.

For instance, the pragma ^0.8.0 means the code can be compiled using any version from 0.8.0 up to 0.9.0 (exclusive). This might be risky if, for example, the code was initially tested on 0.8.0, but then a later version introduced changes that weren't accounted for.

Why Lock at >= 0.8.4 Specifically?

Solidity version 0.8.4 introduced several optimizations and features that could be beneficial for contracts. By locking your contracts to >= 0.8.4, you ensure that your code is taking advantage of the latest compiler improvements while maintaining a consistent behavior.

Example:

Instead of using:

solidityCopy codepragma solidity ^0.8.0; // This allows for any version from 0.8.0 up to 0.9.0

You should lock the version:

solidityCopy codepragma solidity 0.8.4; // This ensures code is consistently compiled with version 0.8.4

Recommendation:

1. Review your contracts to identify any floating pragmas.

2. Update these pragmas to a locked version, preferably 0.8.4 or higher.

3. Re-test your contracts to ensure consistent behavior.

4. Make it a practice to avoid floating pragmas in future contracts.

Conclusion:

Locking your Solidity contracts to a specific compiler version ensures that you, your team, and any other collaborators are always working with a consistent and known environment. This practice is especially important in a domain like blockchain where the immutability of deployed contracts means that mistakes can be costly. By avoiding floating pragmas, you're taking a proactive step in ensuring the reliability and stability of your code.