Researchers have uncovered 25 miscompilation bugs in the Solidity compiler — the tool that turns human-written smart contracts into the bytecode that runs on Ethereum [S1]. Some had gone unnoticed for years [S1]. The finding strikes at a layer of the blockchain stack that almost nobody audits: not the contract code itself, but the compiler that translates it. If that translation is wrong, even a perfectly written contract can behave in ways its authors never intended.

The bug you cannot see in your code

A compiler is a bridge. You write Solidity. The compiler turns it into EVM bytecode, the machine language that actually runs on the Ethereum blockchain. A miscompilation bug is a defect where the compiler produces incorrect output from correct input [S1]. Your source code is right. The bytecode is wrong. No amount of auditing the Solidity source will reveal it, because the error lives in the translation, not the original.

Over three years, the researchers built a tool called SolSmith to find these defects [S1]. SolSmith is a semantics-aware differential fuzz testing tool: it generates valid test programs designed to stress the compiler's code generation and optimization components, then compares outputs to detect discrepancies [S1]. The approach targets the parts of the compiler where silent errors are most likely to hide.

25 bugs, some years old

The researchers found 25 miscompilation bugs, some of which had persisted for multiple years [S1]. They classified the bugs by their nature, root causes, and impact on end-users [S1]. The bugs could have serious implications for smart contracts and their users [S1], though the researchers describe these as potential risks rather than demonstrated exploits.

The paper describes Solidity as the most popular compiler for the Ethereum blockchain [S1]. The project's GitHub repository shows over 25,600 stars and 6,100 forks, reflecting its central role in the ecosystem [P5]. The compiler has been under active development since 2015 and is written primarily in C++ [P5].

What it means

A miscompilation bug undermines the trust model that smart contract security is built on. The standard practice in Ethereum is to audit the source code — the Solidity a developer writes. Security firms review it line by line. But the code that actually runs on the blockchain is the compiled bytecode. If the compiler introduces an error during translation, the bytecode does not match the source. An audit of the source code would pass. The contract would still be wrong.

This is not a purely theoretical concern. An earlier study published in 2024 examined the types and frequency of defects in the Solidity compiler, laying groundwork for understanding where bugs cluster [P4]. The new research narrows the focus to miscompilation specifically — the subset of bugs where the compiler silently produces incorrect output rather than crashing or refusing to compile.

The pattern has parallels beyond blockchain. A 2026 study of the PyTorch compiler found similar silent correctness bugs in AI infrastructure, where optimization passes introduce errors that produce wrong results without any error message [P3]. The common thread: a compiler trusted to translate code correctly instead introduces subtle errors that are hard to detect because the output looks plausible.

For anyone using Ethereum applications, the implication is that contract security depends not just on the developer who wrote the code and the auditor who reviewed it, but on the compiler that translated it. A bug in the compiler is a bug in every contract compiled with that version.

What it means for business

For developers and firms building on Ethereum, this research changes the calculus of compiler version selection. If a contract was compiled with a Solidity version affected by one of these 25 bugs, the deployed bytecode may not match the intended logic. A two-person DeFi startup that deployed a contract two years ago might need to check whether their compiler version was affected, and whether the specific bug could have changed their contract's behaviour.

The practical steps are concrete. First, identify which Solidity compiler version was used for each deployed contract. Second, check whether that version is affected by any of the 25 bugs described in the research. Third, if a contract is affected, assess whether the specific bug could alter the contract's behaviour in a way that matters — not every miscompilation bug affects every contract.

For auditing firms, the research suggests that source-code review alone may be insufficient. Verifying that deployed bytecode matches intended behaviour requires checking the compiler's output, not just the input. That adds a layer of work to the audit process.

For the Solidity team, the research is a direct contribution to compiler quality. SolSmith is designed to generate test programs that stress code generation and optimization [S1], the components where miscompilation bugs live. Whether the tool will be released publicly is not stated in the paper.

What we don't know yet

The paper is a preprint and has not been peer-reviewed [S1]. The bug count and severity are self-reported by the authors without independent verification. The claim that some bugs went unnoticed "for multiple years" is stated without specifying which bugs or exactly how long [S1].

The paper does not confirm that any of the 25 bugs were exploited in live smart contracts. The "serious implications" described are potential, not demonstrated [S1]. It is also unclear whether all 25 bugs affect the current version of the Solidity compiler, or whether some have already been fixed in newer releases.

SolSmith itself may or may not be publicly available. The paper does not state whether the tool has been open-sourced, which means other researchers cannot yet independently reproduce the findings.

The next concrete event to watch for is peer review and formal publication of this paper, along with any response from the Solidity compiler team. If the bugs are confirmed and some affect current compiler versions, patch releases would follow. Until then, the findings are promising but unverified.

If this kind of deep technical reporting is useful to you, subscribe to keep reading.

Sources: [S1] arXiv preprint, "Finding and Understanding Miscompilation Bugs in the Solidity Compiler," July 2026. [P2] arXiv HTML version of same paper. [P3] arXiv, "Demystifying the Silence of Correctness Bugs in PyTorch Compiler," 2026. [P4] arXiv, "Towards Understanding the Bugs in Solidity Compiler," 2024. [P5] GitHub, ethereum/solidity repository.

Sources

More from Not A Tech Guy


Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.