From c4321f1f5aa89b2a6c7af7dd9baf639551fe6c17 Mon Sep 17 00:00:00 2001 From: 77ph Date: Sun, 22 Mar 2026 00:13:52 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20upgrade=20solc=200.8.30=20=E2=86=92=200.?= =?UTF-8?q?8.34=20to=20mitigate=20TSTORE=20Poison=20compiler=20bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit solc 0.8.28–0.8.33 with via-IR has a cache key collision in storageSetToZeroFunction: `delete` on a transient state variable can silently emit sstore instead of tstore (or vice versa), causing permanent storage corruption (e.g. zeroing owner slot, bypassing reentrancy guards, persisting stale approvals). This project meets 3 of 4 trigger conditions: - solc 0.8.30 ✓ - viaIR = true ✓ - `bool transient _locked` in 5 contracts ✓ - `delete` on transient vars ✗ (only assignment used — safe for now) While not currently exploitable (no `delete` on transient vars), upgrading to 0.8.34 eliminates the risk entirely and prevents future code changes from accidentally activating the bug. References: - https://hexens.io/research/solidity-compiler-bug-tstore-poison - https://soliditylang.org/blog/2026/02/18/transient-storage-clearing-helper-collision-bug/ Co-Authored-By: Claude Opus 4.6 --- foundry.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/foundry.toml b/foundry.toml index 1ac879a..f6a3f80 100644 --- a/foundry.toml +++ b/foundry.toml @@ -1,5 +1,5 @@ [profile.default] -solc = "0.8.30" +solc = "0.8.34" src = "contracts" out = "out" libs = ["lib"]