slither icon indicating copy to clipboard operation
slither copied to clipboard

Published 20 hours ago verified publisher icon crytic

Detector Documentation: Solidity Compiler Versions

Open pcaversaccio opened this issue 3 years ago • 4 comments
trafficstars

Based on a recent exchange on Twitter, I think it would be a good idea to clarify why the specific Solidity compiler versions are chosen as recommendations here: image

pcaversaccio avatar Jun 20 '22 14:06 pcaversaccio

Hi @pcaversaccio, thanks for asking, this is a great question.

For 0.5/0.6/0.7 the recomended versions are the latest ones.

For 0.8, the recommendations are currently outdated, and will be update before the next release.

Regarding our process, we take into consideration:

  • The known bugs
  • The risk of new features
  • The time since the release - the more time has passed, the less likely the version is to have an unknown bug.

We do not recommend to use the latest version for deployment due to the risks related to recent compiler's updates. However we do recommend to use the latest version for testing (as new version of the compiler might integrate new checks).

We also run fuzzing campaign against solc from time to time to help us in our evaluation (see https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/ and https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/)

montyly avatar Jun 20 '22 15:06 montyly

@montyly thanks for the swift reply! I do understand your process taken and can follow the arguments (in particular regarding the time since release as we've seen just recently with Solidity version 0.8.15 which fixed an optimizer bug for 0.8.13 and 0.8.14). What I'm asking you guys however is to provide more technical details on the selection in order to understand what exactly are the key drivers behind e.g. not recommending 0.6.10 but recommending 0.6.11. This might be a highly technical task but is still important due to the sake of transparency. It's important to follow the mantra: verify what you actually run without trusting the compiler! And I want to verify Slither's output now ;-)

pcaversaccio avatar Jun 20 '22 15:06 pcaversaccio

for the sake of transparency, ToB will write a FAQ: https://twitter.com/dguido/status/1538911430921142277

pcaversaccio avatar Jun 27 '22 06:06 pcaversaccio

@montyly do you know what the 0.8 recommended version will be for the next release?

lawrencexia avatar Aug 23 '22 18:08 lawrencexia

Any update on this @montyly?

pcaversaccio avatar Feb 22 '23 18:02 pcaversaccio

@pcaversaccio : we added more context in the detector wiki: https://github.com/crytic/slither/wiki/Detector-Documentation#recommendation-71

montyly avatar Mar 10 '23 10:03 montyly

@montyly why do you exactly recommend 0.8.16 since that one had the following (assembly-related) bug: "Storage Write Removal Bug On Conditional Early Termination"? 0.8.17 would make much more sense IMHO.

pcaversaccio avatar Mar 10 '23 11:03 pcaversaccio

that's because the detector was not yet updated ;)

We plan to update it for the upcoming release: https://github.com/crytic/slither/issues/1693

montyly avatar Mar 10 '23 14:03 montyly

@montyly I think with the latest additions, I will close the issue.

pcaversaccio avatar Mar 22 '23 13:03 pcaversaccio