Skip to content

Latest commit

 

History

History
57 lines (29 loc) · 2.62 KB

063.md

File metadata and controls

57 lines (29 loc) · 2.62 KB
Raw

Clean Quartz Hedgehog

Medium

Unlocked Pragma leads to putting all the contracts at a higher risk of being vulnerable to undiscovered Compiler Security Bugs

Summary

All the in scope solidity files have unlocked pragma versions. Thus its putting all the contracts at a higher risk of being vulnerable to undiscovered Compiler Security Bugs.

Vulnerability Detail

Contracts should be deployed with the same compiler version and flags that they have been tested the most with. Locking the pragma helps ensure that contracts do not accidentally get deployed using, for example, the latest compiler which may have higher risks of undiscovered bugs.

https://swcregistry.io/docs/SWC-103/ https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/locking-pragmas/

Impact

This vulnerability is putting all the contracts at a higher risk of being vulnerable to undiscovered compiler security bugs.

Code Snippet

All the in scope solidity files.

Like this :

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostRegistry.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/AAction.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/AContractAction.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/AEventAction.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/actions/EventAction.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/allowlists/AAllowList.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/allowlists/ASimpleAllowList.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/allowlists/ASimpleDenyList.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/auth/PassthroughAuth.sol#L2

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/budgets/ABudget.sol#L2

Tool used

Manual Review

Recommendation

Lock the pragma version and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.