Please note, this content is no longer actively maintained.

The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions.

For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the EEA EthTrust Security Levels specification. As well as the latest release version, an Editor's draft is available, that represents the latest work of the group developing the specification.

General guidance for developers on what to consider to ensure security, that is currently maintained, is also available through the Smart Contract Security Verification Standard (SCSVS).

Title

Floating Pragma

Relationships

• CWE-664: Improper Control of a Resource Through its Lifetime
• EEA EthTrust Security Levels:
• Level [S] Improved Compilers
• Level [S] Compiler Security Bugs
• Level [M] Compiler Bugs and Overriding Requirements
• Recommended Practice Use the Latest Compiler

Description

Contracts should be deployed with the same compiler version and flags that they have been tested with thoroughly. Locking the pragma helps to ensure that contracts do not accidentally get deployed using, for example, an outdated compiler version that might introduce bugs that affect the contract system negatively.

Remediation

Lock the pragma version and also consider known bugs (https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.

Pragma statements can be allowed to float when a contract is intended for consumption by other developers, as in the case with contracts in a library or EthPM package. Otherwise, the developer would need to manually update the pragma in order to compile locally.

References

• Ethereum Smart Contract Best Practices - Locking Pragmas

Samples

floating_pragma.sol

pragma solidity ^0.4.0;

contract PragmaNotLocked {
    uint public x = 1;
}

floating_pragma_fixed.sol

pragma solidity 0.4.25;

contract PragmaFixed {
    uint public x = 1;
}

no_pragma.sol

contract PragmaNotLocked {
    uint public x = 1;
}

semver_floating_pragma.sol

pragma solidity >=0.4.0 < 0.6.0;
pragma solidity >=0.4.0<0.6.0;
pragma solidity >=0.4.14 <0.6.0;
pragma solidity >0.4.13 <0.6.0;
pragma solidity 0.4.24 - 0.5.2;
pragma solidity >=0.4.24 <=0.5.3 ~0.4.20;
pragma solidity <0.4.26;
pragma solidity ~0.4.20;
pragma solidity ^0.4.14;
pragma solidity 0.4.*;
pragma solidity 0.*;
pragma solidity *;
pragma solidity 0.4;
pragma solidity 0;

contract SemVerFloatingPragma {
}

semver_floating_pragma_fixed.sol

pragma solidity 0.4.25;
// or
pragma solidity =0.4.25;

contract SemVerFloatingPragmaFixed {
}