stake.link

stake.link
DeFiHardhatBridge
27,500 USDC
View results
Submission Details
Severity: low
Valid

Lack of storage gap in SDLPool.sol can lead to upgrade storage slot collision.

Summary

SDLPool.sol is an upgradable contract with storage variables and it has child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol but does not have storage gaps implemented.

see storage gaps here: https://docs.openzeppelin.com/contracts/3.x/upgradeable#storage_gaps

Vulnerability Details

SDLPool.sol is an upgradable contract with storage variables and it has child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol. All are meant to be upgradeable which means new functions and storage variables can be added to the SDLPool.sol contract. However, if a new storage variable is added to SDLPool.sol , it will overwrite the storage of the children contract SDLPoolPrimary.sol and SDLPoolSecondary.sol.

Impact

When there is a need to upgrade SDLPool.sol with a new storage variable, storage collision can occur with the child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol.

Tools Used

Manual Review

Recommendations

Add storage gaps to the SDLPool.sol contract to allow easy upgrade.

Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

storage-gap

Lack of storage gaps in SDLPool might impact storage of SDLPoolPrimary and SDLPoolSecondary if new storage introduced in future.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.