Recommended Solidity version for security conscious contracts

Slither has given a recommendation to not use >0.5.11 solidity version.

  1. Does OpenZepplin team agree with the general idea that “older versions, unless having a known vulnerability, are more secure”?
  2. What is the most recent version of solidity that OpenZepplin team “recommends”? (I’m guessing whatever version the current contracts library uses is “good enough” in your eyes security wise?

The reason I am asking this is that I have a contract that is targeting 0.7.0, but it is easily ported to 0.6.12 and 0.5.11.

I am wondering if my choice of compiler target will greatly affect security in some ways, and would like OpenZepplin’s opinion on which version to target for a security conscious contract.

Thanks in advanced!

1 Like

Looks as though depending on the contract some allow >=0.4.24 <0.7.0 while some are ^0.5.0

So just from a cursory glance of the contracts in the SDK, not sure if 0.6.x is considered secure or not.

One feature we are hoping to utilize is the immutable keyword which was introduced in 0.6.5… but it is not a necessity if ^0.6.5 versions are considered unsafe.

1 Like

Hi @junderw,

OpenZeppelin Contracts v3.x uses Solidity 0.6.

Solidity 0.7 was only released last week, so some tools in the ecosystem may not support. See OpenZeppelin Contracts and Solidity 0.7 for details on support.

There isn’t a recommendation to use a specific Solidity version that I know of, so I would be interested what the communities thoughts are.

I suggest that you check with Slither on why they give the recommendation to use versions 0.5.11 or 0.4.25.

1 Like

Thanks, I made an issue on Slither’s repo.

I look forward to everyone’s input.

1 Like

Hi @junderw,

Checking with the OpenZeppelin Research team and their recommendation is either the latest Solidity 0.5 or Solidity 0.6 version of the compiler. Soon this will be changed to Solidity 0.6 or Solidity 0.7 latest versions.

They also recommend full unit testing, beta testing, bug bounties, monitoring, and paying close attention to all dependencies including the compiler for your smart contracts.

1 Like