Title
Floating Pragma
Relationships
CWE-664: Improper Control of a Resource Through its Lifetime
Description
Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.
Remediation
Lock the pragma version and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.
Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile locally.
References
Samples
floating_pragma.sol
pragma solidity ^0.4.0;
contract PragmaNotLocked {
uint public x = 1;
}
floating_pragma_fixed.sol
pragma solidity 0.4.25;
contract PragmaFixed {
uint public x = 1;
}
no_pragma.sol
contract PragmaNotLocked {
uint public x = 1;
}
semver_floating_pragma.sol
pragma solidity >=0.4.0 < 0.6.0;
pragma solidity >=0.4.0<0.6.0;
pragma solidity >=0.4.14 <0.6.0;
pragma solidity >0.4.13 <0.6.0;
pragma solidity 0.4.24 - 0.5.2;
pragma solidity >=0.4.24 <=0.5.3 ~0.4.20;
pragma solidity <0.4.26;
pragma solidity ~0.4.20;
pragma solidity ^0.4.14;
pragma solidity 0.4.*;
pragma solidity 0.*;
pragma solidity *;
pragma solidity 0.4;
pragma solidity 0;
contract SemVerFloatingPragma {
}
semver_floating_pragma_fixed.sol
pragma solidity 0.4.25;
// or
pragma solidity =0.4.25;
contract SemVerFloatingPragmaFixed {
}