Tadle

Summary

The `core/` contracts in the provided codebase are intended to be upgradeable. However, they inherit from the Rescuable contract, which does not initialize the __gap storage variable. This omission can lead to storage corruption during contract upgrades, resulting in unpredictable behavior and potential loss of funds.

This issue is duplicate of https://github.com/sherlock-audit/2024-05-midas-judging/issues/109

Vulnerability Details

The CapitalPool contract inherits from CapitalPoolStorage, Rescuable, and ICapitalPool. The CapitalPoolStorage contract correctly initializes the __gap variable, which is a common practice to reserve storage slots for future upgrades.

The Rescuable contract does not initialize the __gap variable. This omission can lead to storage collisions when the contract is upgraded, as the storage layout may not be consistent across different versions of the contract.

• same goes with all the core/ contracts

Impact

contracts might be corrupted during an upgrade

Tools Used

Manual Analysis

Recommendations

Add gaps for contracts