Tadle
Tadle
DeFiFoundry
27,750 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

UpgradeableProxy.sol has a wrong gap[49]

pandasec

Summary

UpgradeableProxy.sol implements the OpenZeppelin TransparentUpgradeableProxy which recommends to leave 50 total storage gaps and the implementation leaves 49 unused storage slots but the UpgradeableProxy.sol contract actually has 2 used slots, as described here - https://github.com/Cyfrin/2024-08-tadle/blob/main/src/proxy/UpgradeableProxy.sol#L17 - one for the admin and the other one for the tadleFactory leaving the free gaps to be 48.

/**
* @title UpgradeableProxy
* @notice This contrct is based on TransparentUpgradeableProxy.
* @dev This contrct serves as the proxy of SystemConfig, PreMarkets, DeliveryPlace, CapitalPool and TokenManager.
* @notice the first storage slot is used as admin.
* @notice the second storage slot is used as tadle factory.
* @notice Total Storage Gaps: 50, UnUsed Storage Slots: 49.
*/
contract UpgradeableProxy is TransparentUpgradeableProxy {
...

Vulnerability Details

Vulnerabilty can be found in the end of the code, in this line in the code - https://github.com/Cyfrin/2024-08-tadle/blob/main/src/proxy/UpgradeableProxy.sol#L44C4-L44C31

uint256[49] private __gap;

It has already two used storage slots, first for the admin address and the second one for the tadleFactory address which leaves 48 storage slots free and not 49

Impact

If another storage variable is added in the future, this will lead to a storage collision.

Tools Used

Manual review

Recommendations

Change the gap to:

uint256[48] private __gap;
Updates

Lead Judging Commences

0xnevi Lead Judge
about 1 year ago
0xnevi Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.