The Smart Contract Weakness Classification and Test Cases (SWC) Registry is a set of Web3 vulnerabilities to avoid when writing smart contracts. It may seem daunting to understand every issue so I’ll do my best to demystify every issue and try my best to explain each issue with real-world examples. This write-up is intended for those who are just starting out in solidity development and smart contract auditing.
SWC-102: Outdated Compiler Version
Using an outdated compiler version can be problematic especially if there are publicly disclosed bugs and issues that affect the current compiler version. Additionally, using an outdated compiler version means that some code functions will not interact well with other smart contracts using the later versions because the code has been deprecated (Will be covered in SWC-111).
The latest solidity version is 0.8.19. It is advisable to use version 0.8.17 onwards (and not the latest one because the version has not been battle-tested yet and may contain some unknown vulnerabilities).
Tips when deciding the Soliditiy Version to use
Real-world Examples
Summary
Tips when deciding the Soliditiy Version to use
The latest solidity version can be found on the solidity documentation itself. The documentation is a good place to start reading the changelogs and new features.
Reference: https://docs.soliditylang.org/en/v0.8.19/080-breaking-changes.html
Firstly, try to use version 0.8.0 onwards. 0.8.0 released some of the most important changes in solidity, such as revert on integer overflow/underflow (SWC-101).
Secondly, avoid using solidity 0.8.13 or 0.8.14 because they contain some encoding and assembly errors. Solidity version 0.8.13 has two issues.
Vulnerability related to ABI-encoding.
ref: https://blog.soliditylang.org/2022/05/18/solidity-0.8.14-release-announcement/
"...pass a nested array directly to another external function call or use abi.encode on it."Vulnerability related to 'Optimizer Bug Regarding Memory Side Effects of Inline Assembly’
ref: https://blog.soliditylang.org/2022/06/15/solidity-0.8.15-release-announcement/
If the code contains inherited contracts that use inline assembly, then it is best not to use these versions.
Also, using a more recent solidity version gets more advantages.
Use a solidity version of at least 0.8.2 to get simple compiler automatic inlining
Use a solidity version of at least 0.8.3 to get better struct packing and cheaper multiple storage reads.
Use a solidity version of at least 0.8.4 to get custom errors, which are cheaper at deployment than revert()/require()strings and get bytes.concat() instead of abi.encodePacked(<bytes>,<bytes>.
Use a solidity version of at least 0.8.10 to have external calls skip contract existence checks if the external call has a return value.
Use a solidity version of at least 0.8.12 to get string.concat() instead of abi.encodePacked(<str>,<str>)
The best version to use is probably 0.8.17 right now.
Real-world Examples
Most protocols do not use the latest version because the contract is immutable once deployed on the main net (code cannot be changed anymore). This SWC vulnerability is good as a first pass for low-risk or non-critical issues in smart contract auditing. If you are a smart contract auditor, you can almost always refer to this issue and provide the necessary feedback when auditing your client’s code.
Summary
Use a version of solidity that is greater than 0.8.0, but not the latest one (use 0.8.17)
Avoid versions 0.8.13 / 0.8.14