Tadle

DeFiFoundry

27,750 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Usage of an incorrect version of Ownable and Pausable library can potentially cause malfunctions during upgrades

pelz

Summary

The Rescueable.sol contract uses non-upgradeable versions of the Ownable and Pausable contracts from OpenZeppelin. This is problematic for upgradeable contracts that inherit from Rescueable.sol, as they might face issues with ownership control and potential storage collisions during proxy deployments and upgrades.

Vulnerability Details

The Rescueable.sol contract inherits from @openzeppelin/contracts/access/Ownable.sol and @openzeppelin/contracts/utils/Pausable.sol, both of which are non-upgradeable contracts. While Rescueable.sol itself is not meant to be upgradeable, the contracts that inherit from it are intended to be upgradeable.

Ownership Issues: The use of non-upgradeable Ownable and Pausable contracts in Rescueable.sol could lead to issues with ownership management if upgradeable contracts rely on these non-upgradeable patterns during proxy upgrades.
Potential Storage Collisions: Since the Ownable and Pausable contracts do not have storage gaps (i.e., they do not have reserved storage slots for future upgrades), inheriting them in upgradeable contracts could cause storage collisions. This can lead to unexpected behavior or corruption of contract state during upgrades.

Impact

Potential Ownership Issues: Contracts inheriting from Rescueable.sol might encounter problems with ownership control if they rely on the non-upgradeable Ownable and Pausable patterns. This could lead to complications during proxy deployments and upgrades.
Storage Collisions: The lack of storage gaps in the non-upgradeable Ownable and Pausable contracts can cause storage collisions when inheriting these contracts in upgradeable contracts. This could lead to incorrect state or behavior of the upgradeable contract.

Tools Used

Manual Review

Recommendations

Review and Update Inheriting Contracts: Ensure that any upgradeable contracts inheriting from Rescueable.sol are compatible with the upgradeable pattern. Consider using OwnableUpgradeable and PausableUpgradeable from @openzeppelin/contracts-upgradeable for these contracts if upgradeability is required.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

27,750 USDC

nSLOC

1,229

23 USDC / LOC

High Medium

25,000 USDC

Low

2,750 USDC

Judges

2,250 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!