26 Кві, 2023

Floating Pragma (SWC-103)

Description

When deploying smart contracts, it is important to ensure that they are deployed using the same compiler version and flags that they have been tested with. This helps to ensure that the contracts function as intended and do not introduce bugs or vulnerabilities into the system. One way to help ensure this is to “lock” the pragma version used in the contract, which prevents it from being compiled using an outdated or incompatible compiler version. This is especially important because even minor changes in the compiler version can affect the behavior of a contract. By locking the pragma version, developers can help ensure that the contract is deployed using the same compiler version and flags that it was tested with, reducing the risk of unexpected behavior or vulnerabilities.

Відновлення

Expanding on the previous statement, it is important to lock the pragma version when deploying contracts to ensure that they are compiled with a specific, tested version of the Solidity compiler. It is also important to consider any known bugs or issues associated with the selected compiler version, which can be found on the Solidity GitHub repository.

However, when creating contracts intended for use by other developers, such as those in a library or EthPM package, it may be appropriate to allow the pragma statement to float. This means that the contract can be compiled using the latest stable version of the Solidity compiler, rather than being locked to a specific version. In such cases, the developer using the library or package would need to manually update the pragma statement to ensure that it is compatible with their own contract system.

Contract Samples

Code with a vulnerability

				
					pragma solidity ^0.4.0;
contract PragmaNotLocked {
    uint public x = 1;
}

				
			

Code without vulnerabilities

				
					pragma solidity 0.4.25;
// or
pragma solidity =0.4.25;

contract SemVerFloatingPragmaFixed {
}

				
			

Tools for scaning SWC-103

1. Mythril: An open-source security analysis tool that can detect the SWC-103 vulnerability, among other vulnerabilities.

2. Slither: Another open-source static analysis tool that can detect the SWC-103 vulnerability in Solidity smart contracts.

3. Securify: A security scanner for Ethereum smart contracts that can detect the SWC-103 vulnerability, as well as other common vulnerabilities.

4. Echidna: A property-based testing tool that can be used to detect the SWC-103 vulnerability in Solidity smart contracts.

5. Manticore: A symbolic execution tool that can detect the SWC-103 vulnerability, as well as other vulnerabilities in smart contracts.

Загальна перерахування слабких місць (CWE)

CWE-664: Improper Control of a Resource Through its Lifetime

Mitigation for SWC-103

SWC-103 is a vulnerability that can arise when a contract’s fallback function does not include proper error handling. To mitigate this vulnerability, it is recommended to include proper error handling in the fallback function, such as logging the error and rejecting the transaction. Developers should also consider implementing a more structured contract design that does not rely on the fallback function for critical functionality.

One approach to improve contract design is to use the “pull payment” model, where the contract does not initiate the payment but rather waits for the user to initiate the payment. Another approach is to use the “withdraw pattern,” where each user’s funds are kept in a separate balance, and the user must actively withdraw the funds from the contract.

Furthermore, developers should also use the latest version of Solidity and perform thorough testing and auditing of their contracts to detect and prevent vulnerabilities like SWC-103.

Висновок

SWC-103 is a vulnerability that can arise when a contract uses a timestamp as a source of randomness. Attackers can manipulate the timestamp to control the outcome of the contract’s logic, potentially leading to unintended state changes or even complete contract compromise.

Інші Послуги

Готові до безпеки?

зв'язатися з нами