First Flight #3: Thunder Loan

First Flight #3

Beginner FriendlyFoundryDeFiOracle

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`ThunderLoanUpgraded` Storage Collisions Between Implementation Versions will cause critical error in the working

abhishekthakur

Summary

Difference between the order of storage variables in ThunderLoan and ThunderLoanUpgraded will cause storage collisions, leads to critical errors.

Vulnerability Details

Here is storage structure in ThunderLoan and ThunderLoanUpgraded contract.

Incorrect storage preservation in implementation:

Implementation_v0	Implementation_v1
mapping s_tokenToAssetToken	mapping s_tokenToAssetToken
uint256 s_feePrecision	uint256 s_flashLoanFee	<=== Storage collision!
uint256 s_flashLoanFee	mapping s_currentlyFlashLoaning	<=== Storage collision!
mapping s_currentlyFlashLoaning
	...

In v0, the layout is as follows:

s_tokenToAssetToken uses storage slot 0.
s_feePrecision uses storage slot 1.
s_flashLoanFee uses storage slot 2.
s_currentlyFlashLoaning uses storage slot 3.

In v1, the layout is as follows:

s_tokenToAssetToken uses storage slot 0.
s_flashLoanFee uses storage slot 1.
s_currentlyFlashLoaning uses storage slot 2.
The storage collision occurs because the s_flashLoanFee in v1 is using the same storage slot (slot 1) that s_feePrecision used in v0, and s_currentlyFlashLoaning in v1 is using the same storage slot (slot 2) that s_flashLoanFee used in v0. This means that during the upgrade, the values stored in s_feePrecision and s_flashLoanFee in v0 will be overwritten by the values in s_flashLoanFee and s_currentlyFlashLoaning in v1, respectively.
When contract is upgraded,

Impact

data will be corrupted which leads to unintended behaviour and loss of funds

Tools Used

Manual Review

Recommendations

Maintain the same storage stucture In new upgrades as well. Make sure that new variables are appended to the storage layout and that no existing slots are modified or reused.

storage preservation in implementation should look like this:

Implementation_v0	Implementation_v1
mapping s_tokenToAssetToken	mapping s_tokenToAssetToken
uint256 s_feePrecision	uint256 s_feePrecision	<= set value of this var
		zero, if not used in V1
uint256 s_flashLoanFee	uint256 s_flashLoanFee
mapping s_currentlyFlashLoaning	mapping s_currentlyFlashLoaning
	...

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

storage collision on upgrade

Rewards breakdown

nSLOC

387

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.