`RegistryAdapter` does not use ERC-7201 namespaced storage
Summary
The RegistryAdapter contract does not use ERC-7201 namespaced storage, possibly leading to storage collision when performing delegatecall.
Vulnerability Details
According to the contest's README, Nexus accounts use ERC-7201 namespaced storage to avoid storage collision with modules:
Nexus uses ERC-7201 namespaced storage to avoid data collision and ensure isolated module operations.
However, storage in RegistryAdapter does not follow the ERC-7201 namespaced storage pattern:
As a result, the registry storage variable will be in slot 0 of the Nexus account.
Therefore, if Nexus.execute() or Nexus.executeFromExecutor() is called to perform a delegatecall into a module that uses regular storage, it will overwrite the registry address.
Impact
The registry address will potentially be overwritten to corrupted data. This could cause the withRegistry() modifier to incorrectly revert or pass when calling registry.trustAttesters().
Recommendations
Use ERC-7201 namespaced storage for RegistryAdapter as well.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.