Lack of storage gap in SDLPool.sol can lead to upgrade storage slot collision.
Summary
SDLPool.sol is an upgradable contract with storage variables and it has child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol but does not have storage gaps implemented.
see storage gaps here: https://docs.openzeppelin.com/contracts/3.x/upgradeable#storage_gaps
Vulnerability Details
SDLPool.sol is an upgradable contract with storage variables and it has child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol. All are meant to be upgradeable which means new functions and storage variables can be added to the SDLPool.sol contract. However, if a new storage variable is added to SDLPool.sol , it will overwrite the storage of the children contract SDLPoolPrimary.sol and SDLPoolSecondary.sol.
Impact
When there is a need to upgrade SDLPool.sol with a new storage variable, storage collision can occur with the child contracts SDLPoolPrimary.sol and SDLPoolSecondary.sol.
Tools Used
Manual Review
Recommendations
Add storage gaps to the SDLPool.sol contract to allow easy upgrade.
Lead Judging Commences
storage-gap
Lack of storage gaps in SDLPool might impact storage of SDLPoolPrimary and SDLPoolSecondary if new storage introduced in future.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.