Importing contacts from Openzeppelin with v0.8.20 can cause problems while deploying on Polygon and other L2

[codehawks-bot]

Importing contacts from Openzeppelin with v0.8.20 can cause problems while deploying on Polygon and other L2

Severity

High Risk

Relevant GitHub Links

2023-08-sparkn/src/ProxyFactory.sol

Line 26 in 0f139b2

import {Ownable} from "openzeppelin/access/Ownable.sol";

Summary

Solidity v0.8.20 introduced a new PUSH0 opcode which is still not supported by the major L2 including the polygon POS where the project is supposed to be deployed.

Vulnerability Details

The project is importing contracts from the Openzeppelin latest release where they are using solidity v0.8.20.This version comes with the new opcode PUSH0 which is still not supported by major L2s including polygon POS. There was a discussion on the Openzeppelin forum regarding this Read More
This type of major update can break the system in a instance and it is often ignored by developers so highly recommed to take the mitigation step to avoid this.

More information

https://wiki.polygon.technology/docs/supernets/operate/supernets-requirements/#:~:text=SOLIDITY%20V0.8.19%20OR,v0.8.19%20or%20earlier.

https://www.zaryabs.com/push0-opcode/

Impact

Deploying on the chain without the opcode support can lead to the DOS of the system.

Tools Used

manual Review

Recommendations

Some common mitigation to avoid this issue are when deploying to L2s

• Downgrading the openzeppelin version to 0.8.19 or less
• Customize the solc to use the paris hard fork instead of the default Shanghai to avoid including the new opcode

[PatrickAlphaC]

They are using pragma solidity 0.8.18;