apegurus/floating-pragma
skills/vulnerability-patterns/floating-pragma/SKILL.md
- Deployable contract uses a floating or range pragma (e.g., `pragma solidity ^0.8.0`, `pragma solidity >=0.8.0`)
devops
Updated May 13, 2026
$ install --global
skillsauthnpx skillsauth add apegurus/solidity-argus floating-pragmaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 3:26 AM125.4s1 file scanned
SKILL.md
- name:
- floating-pragma
- description:
- Floating pragma via caret version range
- pattern_category:
- logic-error
- - regex:
- pragma solidity \^
- severity:
- Medium
- confidence:
- High
- swc:
- SWC-103
<!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
Floating Pragma
Preconditions
- Deployable contract uses a floating or range pragma (e.g.,
pragma solidity ^0.8.0,pragma solidity >=0.8.0) - The contract is intended for deployment (not a library or package for external consumption)
Vulnerable Pattern
// Floating pragma — could compile with any 0.8.x version
pragma solidity ^0.8.0;
contract Token {
// May be compiled with 0.8.0 (tested) or 0.8.25 (untested)
// Different compiler versions may have different bugs or behavior
mapping(address => uint256) public balances;
}
// Range pragma — even wider range
pragma solidity >=0.7.0 <0.9.0;
Detection Heuristics
- Search for
pragma soliditydeclarations in all.solfiles - If the pragma contains
^,>=,>, or a range (e.g.,>=0.8.0 <0.9.0), flag it as floating - Check if the file is a deployable contract or a library/package — libraries are exempt
- A locked pragma looks like
pragma solidity 0.8.20;(exact version, no caret or range) - Check if different files in the project use different Solidity versions — this creates inconsistency risk
False Positives
- Libraries and packages intended for external consumption (e.g., npm packages, OpenZeppelin-style libraries) appropriately use floating pragmas for compatibility
- Interface files (
.solfiles containing onlyinterfacedefinitions) may use floating pragmas - The floating pragma is in a test file, not a production contract
Remediation
- Use locked pragmas for all deployable contracts:
pragma solidity 0.8.20; - Verify the locked version is tested and free of known compiler bugs
- Maintain consistent Solidity versions across the project
// Locked pragma — deterministic compilation
pragma solidity 0.8.20;
contract Token {
mapping(address => uint256) public balances;
}
Related Skills
apegurus/vector-scan
testing
VerifiedTrustedCommunity
Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.
SKILL.mdUpdated May 30, 2026
apegurus/periphery
tools
VerifiedTrustedCommunity
Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.
SKILL.mdUpdated May 30, 2026
apegurus/math-precision
testing
VerifiedTrustedCommunity
Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.
SKILL.mdUpdated May 30, 2026
apegurus/invariant
testing
VerifiedTrustedCommunity
Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.
SKILL.mdUpdated May 30, 2026