SWC-103
Title
Floating Pragma
Relationships
CWE-664: Improper Control of a Resource Through its Lifetime
Description
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Remediation
Lock the pragma version and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.
Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile locally.
References
Contract Samples
floating_pragma.sol
pragma solidity ^0.4.0;
contract PragmaNotLocked {
uint public x = 1;
}
floating_pragma.yaml
description: Floating pragma
issues:
- id: SWC-103
count: 1
locations:
- bytecode_offsets: {}
line_numbers:
floating_pragma.sol: [1]
floating_pragma_fixed.sol
pragma solidity 0.4.25;
contract PragmaFixed {
uint public x = 1;
}
floating_pragma_fixed.yaml
description: Floating pragma
issues:
- id: SWC-103
count: 0
locations: []
no_pragma.sol
contract PragmaNotLocked {
uint public x = 1;
}
no_pragma.yaml
description: Floating pragma
issues:
- id: SWC-103
count: 1
locations:
- bytecode_offsets: {}
line_numbers:
no_pragma.sol: [1]
semver_floating_pragma.sol
pragma solidity >=0.4.0 < 0.6.0;
pragma solidity >=0.4.0<0.6.0;
pragma solidity >=0.4.14 <0.6.0;
pragma solidity >0.4.13 <0.6.0;
pragma solidity 0.4.24 - 0.5.2;
pragma solidity >=0.4.24 <=0.5.3 ~0.4.20;
pragma solidity <0.4.26;
pragma solidity ~0.4.20;
pragma solidity ^0.4.14;
pragma solidity 0.4.*;
pragma solidity 0.*;
pragma solidity *;
pragma solidity 0.4;
pragma solidity 0;
contract SemVerFloatingPragma {
}
semver_floating_pragma.yaml
description: Floating pragma with semantic versioning operators allows multiple compilers to be used
issues:
- id: SWC-103
count: 14
locations:
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [1]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [2]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [3]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [4]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [5]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [6]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [7]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [8]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [9]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [10]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [11]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [12]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [13]
- bytecode_offsets: {}
line_numbers:
semver_floating_pragma.sol: [14]
semver_floating_pragma_fixed.sol
pragma solidity 0.4.25;
// or
pragma solidity =0.4.25;
contract SemVerFloatingPragmaFixed {
}
semver_floating_pragma_fixed.yaml
description: Floating pragma with semantic versioning operators allows multiple compilers to be used
issues:
- id: SWC-103
count: 0
locations: []