Understanding Solidity Pragma and its Security Practices

Understanding Solidity Pragma and its Security Practices

What is pragma in Solidity?
A pragma is usually the first line of code in any Solidity file. This directive specifies the compiler version to be used for the compilation of the smart contract code written in Solidity.

How does Solidity pragma work?
Solidity Pragma is always local to a source file, and each solidity file has to specify this directive, even the imported libraries, to instruct the compiler about the solidity version for which the code is written. 
There are multiple ways to specify the pragma version. It can either be a floating pragma that specifies a range of compiler versions that can be used for compilation, or a strict pragma can be used, which basically means hardcoding the compiler version. 
Below are a few examples of Solidity Pragma and how it works

pragma solidity 0.6.12  - Only compiles with version 0.6.12
pragma solidity ^0.6.12 - Compiles with version 0.6.12 and above
pragma solidity >=0.4.0 <0.6.0 - Compiles with all versions between                              0.4.0 and 0.6.0

Note:- Using the version pragma does not change the version of the compiler. It also does not enable or disable features of the compiler. It just instructs the compiler to check whether its version matches the one required by the pragma. If it does not match, the compiler issues an error.

Security Issues and Best Practices for Defining Solidity Pragma:
1. Use of older compiler version:
Solidity compilers from very old versions fail to incorporate the latest security checks and bug fixes.
A list of all compiler-specific bugs can be found on the official solidity website https://docs.soliditylang.org/en/v0.8.13/bugs.html

2. Use of very recent compiler version:
Using the latest versions might make contracts susceptible to undiscovered compiler bugs.

3. Use of floating pragma:
The contract should not use floating pragma, e.g. (*0.6.0 or >=0.4.0 *0.6.0), which allows a range of compiler versions. It is important to lock the pragma (for example, not using ^ in pragma solidity 0.8.10) to prevent contracts from being accidentally deployed using an older compiler with unfixed bugs.

4. Use of multiple solidity pragma across different files:
By mistake, developers often use different pragma versions across different files, which can cause inconsistency and introduce security issues. It is better to use one Solidity compiler version across all contracts instead of different versions with different bugs and security checks.

Final notes:
It is recommended to use a strict and consistent pragma version across all the contracts, which are neither too old nor too recent.
We at SolidityScan recommend version 0.8.4. Our product automatically scans for insecure usages of pragma versions and recommends the best practices. 
Signup for a free trial at https://solidityscan.com/signup