For most source-units the compiler version pragma is very unspecific ^0.6.0.
While this often makes sense for libraries to allow them to be included with multiple different versions of an application, it may be a security risk for the actual application implementation itself.
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up actually checking a different evm compilation that is ultimately deployed on the blockchain.
Avoid floating pragmas.
We highly recommend pinning a concrete compiler version (latest without security issues) in at least the top-level "deployed" contracts to make it unambiguous which compiler version is being used.
Rule of thumb: a flattened source-unit should have at least one non-floating concrete solidity compiler version pragma.
- ConsenSys Audit 1inch Finding 4.6
- Configuration
- Floating/Unlocked Solidity Compiler Pragma
- Fixed Pragma
- Recommended Version