The Storage Gap convention for the upgradeable contracts is not followed which can affect layout of future child contracts
Summary
Storage gaps are used by a convention for reserving storage slots in a base contract. This allows future versions of that contract to use up those slots without affecting the storage layout of child contracts. The __gap variable is missing from the MondrianWallet2 contract.
Vulnerability Details
According to the covention it is useful to declare unused variables or the so-called storage gaps in base contracts that you may want to extend in the future, as a means of "reserving" those slots.
This can be done by adding the __gap unused variable to the beginning of teh contract, e.g. at Line 36 of MondrianWallet2.sol. The variable name __gap or a name starting with __gap_ must be used for the array so that OpenZeppelin Upgrades will recognize the gap variables.
Impact
The missing __gap will affect the storage layout of future child contracts. This is due to an unfollowed convention for implementation of upgradeable contracts.
Tools Used
Manual Review
Recommendations
Add the __gap variable at the beginning of the MondrianWallet2 contract. Look at the following code.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.