Skip to content

Instantly share code, notes, and snippets.

@Theo6890

Theo6890/SOLIDITY_VERSION.md

Last active February 26, 2026 16:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Theo6890/9a1dfc9d9240a19e36f18ff21287f93b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Theo6890/9a1dfc9d9240a19e36f18ff21287f93b to your computer and use it in GitHub Desktop.
Download ZIP
Latest safe Solidity 0.8.x to use in production
Raw
SOLIDITY_VERSION.md

Safest Versions To Use

Currently use 0.8.27 or 0.8.34. Avoid all versions in between.

  • 0.8.27: Use if you don't need custom storage namespaces (ERC-7201, Diamond) or Solidity custom layouts (layout at).
  • 0.8.34: Use if you need features introduced >=0.8.28.

Reasoning Behind Version Choices

0.8.26 vs 0.8.27

Feature / Issue Solidity v0.8.26 Solidity v0.8.27 (Recommended)
Internal Compiler Errors Vulnerable to crashes Fixed
via-IR Compilation Speed Standard Faster (optimized IR caching)
Custom Error Support Restricted to via-IR Expanded to legacy pipeline
v0.8.28 Exploit Risk (transient) Safe Safe (halts bytecode generation)
Storage Overflow Bug Vulnerable Vulnerable

Why 0.8.34 is Recommended

Solidity 0.8.34 contains all known fixes.

Versions 0.8.28 through 0.8.33 introduced features like transient storage and custom layouts but contained catastrophic code generation bugs.

Version Comparison

Feature / Vulnerability <= 0.8.27 (Legacy) 0.8.28 - 0.8.33 (Danger Zone) 0.8.34 (Modern Safe)
Transient Storage (tstore) Unsupported Critically Vulnerable Supported & Safe
Custom Layouts (layout at) Unsupported Supported Supported
Storage Array Overflow Vulnerable Vulnerable (Fixed in 0.8.32) Safe
Default EVM Target Cancun / Older Prague / Osaka Osaka

Security Awareness: Bugs in Older Versions

1. Transient Storage Collision (SOL-2026-1)

Affects: 0.8.28 - 0.8.33 (with --via-ir)

The Bug: The compiler names clearing routines based only on the variable's type, ignoring storage location. This causes persistent and transient routines to silently overwrite each other.

pragma solidity ^0.8.28;

contract TransientCollision {
    uint256 persistentData;
    uint256 transient t_temporaryData;

    function clearData() external {
        // Compiler generates identical Yul names for both 'uint256' variables.
        delete t_temporaryData; // Might mistakenly write to persistent storage
        delete persistentData;  // Might clear transient storage, leaving persistent data intact
    }
}

2. Lost Storage Array Write (SOL-2025-1)

Affects: < 0.8.32

The Bug: If an array anchors at the EVM's maximum storage limit and wraps to slot zero, the compiler's clearing loop fails instantly, leaving old data intact.

pragma solidity ^0.8.29;

contract ArrayOverflow {
    // Array placed at the edge of EVM storage
    uint256[] layout at 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff edgeArray;

    function triggerBug() external {
        edgeArray.push(1);
        edgeArray.push(2);

        // Math overflow causes the background clearing loop to fail immediately.
        delete edgeArray; // FAILS: Data remains permanently in storage!
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment