Smart Contract / Floating Pragma

Description

Floating Pragma is a type of vulnerability found in smart contracts, specifically in the Solidity programming language. It occurs when a contract is written with a compiler version that is later than the one specified in the source code. This can lead to an unpredictable execution of the contract, causing errors. It is classified as a CWE-831 vulnerability and has been identified by OWASP as a part of their testing guide.

Risk

Floating Pragma can have a major impact on the security of a smart contract. When this vulnerability is present, it can lead to the execution of unintended code, which can cause data corruption or other malicious activities. Additionally, the vulnerability can be exploited to drain funds from a contract and can give an attacker access to restricted functions.

Solution

The best way to protect against Floating Pragma is to ensure that the compiler version used in the source code matches with the version used for deployment. Additionally, developers should use version control systems such as Git to track changes to the compiler version over time.

Example

pragma solidity ^0.6.1;
contract MyContract {...}

In the example above, the contract is written in version 0.6.1 of the Solidity programming language. If the contract is compiled with a version that is later than 0.6.1, the contract may be vulnerable to Floating Pragma.