Soroban version

Description

• Vulnerability Category: Best practices
• Vulnerability Severity: Enhacement
• Detectors: soroban-version
• Test Cases: soroban-version-1

Using an old version of Soroban can be dangerous, as it may have bugs or security issues. Use the latest version available.

Exploit Scenario

Consider the following Cargo.toml:

    [dependencies]
    soroban-sdk = { version = "=19.0.0" }

    [dev-dependencies]
    soroban-sdk = { version = "=19.0.0", features = ["testutils"] }

Problems can arise if the version is not updated to the latest available.

The vulnerable code example can be found here.

Remediation

    [dependencies]
    // Use the latest version available.
    soroban-sdk = { workspace = true }

    [dev-dependencies]
    soroban-sdk = { workspace = true, features = ["testutils"] }

The remediated code example can be found here.

References

• Floating Pragma
• outdated Compiler Version