Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Storage collision between proxy and implementation

air

Summary

The UpgradeableProxy contract's design intends to use the first storage slot for the admin address and the second slot for the tadleFactory address. However, the actual implementation of ITadleFactory public tadleFactory may inadvertently use the first storage slot, potentially conflicting with the admin address.

Vulnerability Details

https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/proxy/UpgradeableProxy.sol#L21

Natspec of contract UpgradeableProxy:

/**

* @title UpgradeableProxy

* @notice This contrct is based on TransparentUpgradeableProxy.

* @dev This contrct serves as the proxy of SystemConfig, PreMarkets, DeliveryPlace, CapitalPool and TokenManager.

@audit-info * @notice the first storage slot is used as admin.

the first slot is slot 0

* @notice the second storage slot is used as tadle factory.

* @notice Total Storage Gaps: 50, UnUsed Storage Slots: 49.

contract UpgradeableProxy is TransparentUpgradeableProxy {

//@audit - the slot slot is should be admin

ITadleFactory public tadleFactory;

When we run commnad forge inspect UpgradeableProxy storage we see that slot0 which is the first slot is not occupied by the admin as expected but rather the tadle contract

This article will help you get a better understanding of the problem
https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies

section "Unstructured Storaged Proxies"

Impact

Impact would be that an upgrade could brick a contract by simply rearranging inheritance order, or adding variables to an inherited contract, since the implantation slot will not be where it is expected

Tools Used

Manual Review , Foundry

Recommendations

Consider using EIP1967

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!