bughuntoor - Project may be unable to be deployed on Arbitrum due to incompatibility with Shanghai hardfork

[sherlock-admin]

bughuntoor

medium

Project may be unable to be deployed on Arbitrum due to incompatibility with Shanghai hardfork

Summary

Project might be unusable upon deployment due to not supporting PUSH0 OPCODE

Vulnerability Detail

The project uses unsafe pragma (^0.8.20) which by default uses PUSH0 OPCODE. However, Arbitrum currently does not support it.

This means that the produced bytecode for the different contracts won't be compatible with Arbitrum as it does not yet support the Shanghai hard fork.

Impact

Unusable contracts, will need redeploy

Code Snippet

https://github.com/sherlock-audit/2023-12-jojo-exchange-update/blob/main/smart-contract-EVM/src/JOJOExternal.sol#L6

Tool used

Manual Review

Recommendation

change pragma to 0.8.19 or change the EVM version

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because {invalid}

[nevillehuang]

@JoscelynFarr just to double confirm, in the foundry configuration foundry.toml you guys didn't set the evm_version to paris during the time of contest , so this is valid correct?

[JoscelynFarr]

yes, we did not set the evm_version to paris, so it is valid, and we will update the pragma to 0.8.19

[0xMR0]

Escalate

This should be informational or low severity at best. This issue doesn't justifies medium severity at sherlock unless the inscope contracts are affected by this issue. The issue does not mention any such information affecting in scope contracts.

This was similar issue submitted during Symmio audit and it was invalidated by sherlock.

Feel free to correct if i am missing something.

[sherlock-admin]

Escalate

This should be informational or low severity at best. This issue doesn't justifies medium severity at sherlock unless the inscope contracts are affected by this issue. The issue does not mention any such information affecting in scope contracts.

This was similar issue submitted during Symmio audit and it was invalidated by sherlock.

Feel free to correct if i am missing something.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[nevillehuang]

@0xMR0

• The difference between this and the issue you pointed out is that there is evidence via foundry.toml that if deployed wrongly, the whole contract will be DoSed, whereas the issue in symmio uses hardhat, which defaults to paris evm version

• I am borderline on this one too, given the fix can be both in-scope contract and out-of-scope configuration, but I believe the evidence from the github repo suffice to show that it is a valid medium severity issue given an explicit fix is required, with the root cause being a combination of both inscope contracts and out of scope configuration file

[Hash01011122]

Correct me if I am wrong.
Based on my thorough analysis of the rules of Sherlock, I am confident in asserting that there is no risk of fund loss in this scenario. My understanding is that the issue primarily involves adapting the EVM version in the codebase for deployment on an alternative mainnet, such as Arbitrum. This adjustment appears to be, at most, a matter of low severity, primarily serving an informational purpose. It's crucial to recognize that this change does not compromise the security or integrity of the funds, aligning perfectly with the established protocols of Sherlock(no loss of funds).

[nevillehuang]

@Hash01011122 As long as it impacts core contract functionality, there is no requirement that there needs to be a definite loss of funds, however, I can agree that it is borderline out of scope, but not completely.

https://discord.com/channels/812037309376495636/881726370370158592/1200387163624308797

[0xMR0]

How this issue is breaking core contract functionality?

Compiler config is out of scope and the compiler version to be deployed with is decided by protocol team i.e admin. Admin is trusted per readme. Arbitrum does not support PUSH0 is well known issue since May,2023 and since the admin is trusted, it is expected that the admin/developer won't deploy the contract with incompatible compiler with on-chain.

Refer this judgement for similar issue given by sherlock judging head.

[nevillehuang]

@0xMR0 Thanks for the response, this issue should be invalid

[detectiveking123]

This is invalid.

[JoscelynFarr]

Fixed PR: JOJOexchange/smart-contract-EVM@7104f58

[IAm0x52]

Fix looks good. Changes solidity version from 8.20 to 8.19.

[Evert0x]

Planning to accept escalation based on similar reasoning as this previous judgment sherlock-audit/2023-10-real-wagmi-judging#84 (comment)

[T1MOH593]

@Evert0x Isn't escalation should be accepted with referred reasoning?

[0xMR0]

@Evert0x I said low severity in escalation which is by default invalid at sherlock then i think the escalation should be accepted.

[Evert0x]

@T1MOH593 @0xMR0 correct, edited original message.

[Czar102]

Result:
Invalid
Has duplicates

[sherlock-admin]

Escalations have been resolved successfully!

Escalation status:

• 0xMR0: accepted