`replace_class_syscall` does not run a constructor
Github
Summary
The current upgrade mechanism in Cairo, as implemented in bridge.cairo and erc721_bridgeable.cairo, utilizes the replace_class_syscall function. This syscall does not invoke a constructor, which complicates the process of updating storage variables and may result in a temporary denial of service if storage updates are needed.
Impact
Since replace_class_syscall does not run a constructor, updating storage variables directly in an upgrade process is not feasible, potentially leading to disruptions in contract functionality.
Recommendation
I did some research into StarkNet forums and expert discussions confirms that this issue is a known limitation in Cairo upgrades. My suggestion to address storage updates, consider implementing a temporary class with an initialization function as a workaround to facilitate necessary storage changes during upgrades.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.