Bnke0x0
low
Avoid floating pragmas for non-library contracts.
While floating pragmas make sense for libraries to allow them to be included with multiple different versions of applications, it may be a security risk for application implementations.
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
It is recommended to pin to a concrete compiler version.
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/CrossDomainOwnable.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/CrossDomainOwnable2.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Bytes.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Constants.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Encoding.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Hashing.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Predeploys.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/Types.sol#L2 => pragma solidity ^0.8.9; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/rlp/RLPReader.sol#L2 => pragma solidity ^0.8.8; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/rlp/RLPWriter.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/trie/MerkleTrie.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/libraries/trie/SecureMerkleTrie.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/IOptimismMintableERC20.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/IOptimismMintableERC721.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/OptimismMintableERC721.sol#L2 => pragma solidity ^0.8.0; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/Semver.sol#L2 => pragma solidity ^0.8.15; https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/vendor/AddressAliasHelper.sol#L19 => pragma solidity ^0.8.0;
Manual Review
This can be done simply by checking if the ^ keyword exists in pragma and if it does check whether the version is lower than the compiler. Showing an error instead of a warning would require that the compiler has knowledge of previous versions and available features which would unnecessarily increase its complexity.