Summary

Storage layout clash has been identified between the Proxy and Distributor contracts.

Vulnerability Details

The Proxy contract, built using the delegate proxy pattern, holds an _implementation state variable that resides in its first storage slot (slot 0). Conversely, the Distributor contract's initial storage slot (also slot 0) is shared by a numeric variable 1 and the FACTORY_ADDRESS. This overlap means that when the Distributor's functions try to access FACTORY_ADDRESS, they could inadvertently modify or read the _implementation variable of the Proxy instead.

POC

Deploying Contracts: A user deploys the Proxy contract, setting its _implementation to point towards a pre-deployed Distributor contract. The intention is that the Proxy will delegate calls to the Distributor.

Reading _implementation Directly: When querying the _implementation address from the Proxy contract, the user accurately sees the Distributor contract's address.

Delegate Call to Distributor: A user calls a function on the Proxy that is designed to interact with the FACTORY_ADDRESS in the Distributor using a delegate call.

Unexpected Behavior: Due to the storage layout conflict, rather than accessing FACTORY_ADDRESS, the function reads the value in the Proxy's storage slot 0, which is _implementation. As a result, the user unexpectedly receives the Distributor's address.

The storage of the Proxy contract is what gets "overlapped" or unintentionally accessed. This is because the delegate call makes the Distributor contract read and write to the Proxy contract's storage.

The clash occurs because the Distributor contract's code expects its first state variable (FACTORY_ADDRESS) to be in storage slot 0, but when accessed via a delegate call from the Proxy, slot 0 contains the Proxy's _implementation address.

Impact

Any attempts to call the distribute function in Distributor.sol will revert because msg.sender != FACTORY_ADDRESS

Tools Used

Manuel Reviews

Recommendations

To prevent such issues, it's essential to ensure that the storage layouts of proxy and implementation contracts are synchronized and do not clash.

There are many ways to reserve special storage slots for specific variables so that you can be sure they wont overlap.