Unbounded Pragma
Overview
- Severity: Low
- Confidence: High
- Affected Versions: All
What is the Unbounded Pragma vulnerability?
In Solidity programs, the compiler version to use when compiling a source unit can be specified with a pragma statement. Special operators can be used to allow for ranges of compiler versions rather than specifying an exact version. One of these operators, >=, will allow any future versions to be used to attempt to compile the source unit; however, if breaking changes are introduced between versions, this may cause compilation to fail for users of newer compilers.
Further reading: Solidity Documentation: Version Pragma
Technical example of vulnerable code
// SPDX-License-Identifier: Unlicense
pragma solidity >=0.4.24;
contract SendEther {
function sendViaCall(address _to) public payable {
// performing a call using .value() is valid in older compiler versions,
// but will throw a TypeError in newer versions
_to.call.value(msg.value)("");
}
}
In the example above, the pragma statement specifies the compiler version as being anything >=0.4.24. However, the syntax of specifying an Ether amount to send with a call using .value() as seen in the sendViaCall() function is deprecated in newer versions of Solidity, and will cause the compiler to throw an error.
Technical example of how to fix the vulnerability
// SPDX-License-Identifier: Unlicense
pragma solidity ^0.8.24;
contract SendEther {
function sendViaCall(address _to) public payable {
// using the new syntax and with a more constrained compiler version
(bool sent, ) = _to.call{value: msg.value}("");
require(sent, "Failed to send Ether");
}
}
In the corrected example above, a newer version of the compiler is specified, using the ^ operator rather than >=, which will constrain the maximum compiler version to something in the 0.8.x range, avoiding breaking changes that may be introduced in version 0.9.0. In addition, the syntax of attaching Ether value to the call in sendViaCall() has been updated to the valid syntax for the specified compiler.