Report #21001

Report ID

#21001

Target

https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Hello Team,

I Would like to share an issue in smart contract in which developer implemented

Which is not recommended at version ^0.7.0 ;

Means ,

In Link = https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code

Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet

Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.

This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).

Docs: https://docs.soliditylang.org/en/v0.5.17/layout-of-source-files.html#abiencoderv2

In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental

Experimental Pragma in Solidity is used to enable experimental features of Solidity that are not enabled by default.

Example

the below code with struct types will throw a compilation error.

// SPDX-License-Identifier: GPL-3.0 pragma solidity ^0.6.0; contract Test { struct S { uint a; uint[] b; T[] c; } struct T { uint x; uint y; } function f(S memory, T memory, uint) public pure {} function g() public pure returns (S memory, T memory, uint) {} }

Compilation Error

contracts/Sample.sol:12:12: TypeError: This type is only supported in ABIEncoderV2. Use "pragma experimental ABIEncoderV2;" to enable the feature. function f(S memory, T memory, uint) public pure {} ^------^

To overcome this, the pragma experimental ABIEncoderV2 can be used as below that compiles the code without any issues.

But It's Not Recommended to use Experimental Pragma on Mainnet

In Link = https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code

At File 1 ( Fertilizer.sol) you see an Experimental ABIEncoderV2;

If you have deployed contracts which use the experimental ABI encoder V2, then those might be affected. This means that only contracts which use the following directive within the source code can be affected:

pragma experimental ABIEncoderV2;

Additionally, there are a number of requirements for the bug to trigger. See technical details further below for more information.

As far as we can tell, there are about 2500 contracts live on mainnet that use the experimental ABIEncoderV2. It is not clear how many of them contain the bug.

Pic = attached below

Not use Experimental version in mainet Deployment

Please let me know if have any query

Thank You

Step 1 : Open the Link = https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD?utm_source=immunefi#code

Step 2 : At file 1 ( Fertilizer.sol)

Here (Fertilizer.sol) , Uses the pragma Experminatal which is not recommended on mainnet

Generally speaking, experimental features can be unstable and produce unexpected and undocumented bugs - which you might not want in a production environment. Hence the warning.

This specific ABIEncoderV2 was introduced in Solidity version 0.5, enabling use of nested arrays and mappings. In this Solidity version, the encoder's stability was marked as experimental (i.e. likely unstable).

Docs: https://docs.soliditylang.org/en/v0.5.17/layout-of-source-files.html#abiencoderv2

In the current Solidity version 0.8, the ABIEncoderV2 encoder is stable and no longer experimental