Storage Collision Might Occur between Proxy & Implementation
Summary
Storage collisions resulting from the absence of EIP-1967 may lead to conflicts and the unintended overwriting of important variables.
Vulnerability Details
Impact
When implementing proxies, it's essential to note that both the logical structure and the implementation details share the same storage layout. In order to mitigate potential storage conflicts, the Ethereum Improvement Proposal 1967 (EIP-1967) was introduced (https://eips.ethereum.org/EIPS/eip-1967). This proposal advocates for the establishment of proxy variables at predetermined positions, such as 'implementation' and 'admin'.
For instance, in accordance with the standard, the designated slot for the logic implementation address is represented by the value:
0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc (computed as bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1))
Further elaboration on this matter can be found in the comprehensive documentation provided by OpenZeppelin through the following link under Unstructured Storage Proxies:
https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies
Tools Used
Manual Review
Recommendations
Consider Implementing EIP-1967
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.