The Standard

Summary

The SmartVaultManagerV5 contract inherits from OpenZeppelin upgradeable contracts but does not include a __gap variable.

Without this variable, it is not possible to add any new variables to the inherited contracts without causing storage slot issues. Specifically, if variables are added to an inherited contract, the storage slots of all subsequent variables in the contract will shift by the number of variables added. Such a shift would likely break the contract.

All upgradeable OpenZeppelin contracts contain a __gap variable, as shown in this figure.

Exploit Scenario

Alice, a developer of the protocol, adds a new variable to the SmartVaultManagerV5 contract as part of an upgrade. As a result of the addition, the storage slot of each subsequent variable changes, and the contract stops working.

Refer official OZ documentation which says:

You may notice that every contract includes a state variable named __gap. This is empty reserved space in storage that is put in place in Upgradeable contracts. It allows us to freely add new state variables in the future without compromising the storage compatibility with existing deployments.

It isn’t safe to simply add a state variable because it "shifts down" all of the state variables below in the inheritance chain. This makes the storage layouts incompatible, as explained in Writing Upgradeable Contracts. The size of the __gap array is calculated so that the amount of storage used by a contract always adds up to the same number (in this case 50 storage slots).

Impact

Can break future upgrades due to storage slot issues.

Tools Used

Manual inspection

Recommendations

Add a __gap variable inside SmartVaultManagerV5.sol. Example: