Floating Pragma
Detects contracts compiled with a floating pragma version that may produce different bytecode across compiler versions.
Floating Pragma
Overview
The floating pragma detector identifies contracts compiled with a non-pinned Solidity version (e.g., pragma solidity ^0.8.0 instead of pragma solidity 0.8.20). A floating pragma means the contract can be compiled with any compatible compiler version, potentially introducing behavioral differences, new bugs, or gas cost changes between versions.
Why This Is an Issue
Different compiler versions may optimize code differently, handle edge cases differently, or introduce new default behaviors. A contract audited under Solidity 0.8.19 may behave differently when compiled with 0.8.24 due to changes in the optimizer, default EVM target, or overflow handling. Pinning the compiler version ensures the deployed bytecode matches what was reviewed.
How to Resolve
// Before: Floating — any 0.8.x version
pragma solidity ^0.8.0;
// After: Pinned — exact version
pragma solidity 0.8.20;Detection Methodology
- Metadata extraction: Reads the CBOR-encoded metadata appended to the bytecode to extract the compiler version.
- Source pragma analysis: When source code is available, checks whether the pragma uses
^,>=, or range operators. - Version comparison: Flags contracts where the metadata compiler version suggests a floating pragma was used.
Limitations
False positives: Library contracts intended for wide reuse may intentionally use floating pragmas. False negatives: Contracts deployed without metadata cannot be analyzed for pragma style.
Related Detectors
- Outdated Compiler — detects old compiler versions with known bugs