First Flight #3: Thunder Loan
First Flight #3
Beginner FriendlyFoundryDeFiOracle
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Mismatch storage layout for upgradeable logic contract

0xlouistsai

Summary

In proxy pattern, the upgraded storage layout should follow the previous one. If not, it will lead to storage collision and several sensitive data will be override.

Vulnerability Details

In the ThunderLoanUpgraded.sol contract, the storage layout is the following format:

mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
uint256 private s_flashLoanFee;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;

which is not coherent to the storage layout of ThunderLoan.sol

mapping(IERC20 => AssetToken) public s_tokenToAssetToken;
uint256 private s_feePrecision;
uint256 private s_flashLoanFee;
mapping(IERC20 token => bool currentlyFlashLoaning) private s_currentlyFlashLoaning;

If logic contract is updated, the storage slot that stores the s_flashLoanFee will be overrided by s_currentlyFlashLoaning.

Impact

The value of s_flashLoanFee will be incorrect and lead to wrong calculation.

Tools Used

Manual Review

Recommendations

Coherent to the previous storage layout and avoid adding or deleting new state variables.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

storage collision on upgrade

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.