Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect handling of the slots in the new implementation, which will affect the currently stored values.

thaddeus19

Summary

Incorrect handling of the slots in the new implementation, which will affect the currently stored values and the order of the variables.

Vulnerability Details

We can see in the deployed OperartorVCS contract (https://explorer.sim.io/eth/20936865/0x4852e48215a4785ee99b640caced5378cc39d2a4) the slots:

slot 209 is for indexOfLastFullVault uint256 = 14
slot 210 maxDepositSizeBP uint256 = 9000
slot 223 preRelease bool = false

Which in the new implementation would be overwritten by:

{
"astId": 2554,
"contract": "contracts/linkStaking/OperatorVCS.sol:OperatorVCS",
"label": "maxDepositSizeBP",
"offset": 0,
"slot": "209",
"type": "t_uint256"
},
{
"astId": 2557,
"contract": "contracts/linkStaking/OperatorVCS.sol:OperatorVCS",
"label": "fundFlowController",
"offset": 0,
"slot": "210",
"type": "t_contract(IFundFlowController)3608"
},
{
"astId": 419,
"contract": "contracts/linkStaking/OperatorVCS.sol:OperatorVCS",
"label": "vaultsToRemove",
"offset": 0,
"slot": "223",
"type": "t_array(t_address)dyn_storage"
}

Just like in the deployed CommunityVCS contract: (https://explorer.sim.io/eth/20936950/0xac12290b097f6893322f5430627e472131fbc1b5) los slots:

slot 209 is for indexOfLastFullVault uint256 = 14
slot 210 maxDepositSizeBP uint256 = 9000

Which in the new implementation would be overwritten by:

{
"astId": 2554,
"contract": "contracts/linkStaking/OperatorVCS.sol:OperatorVCS",
"label": "maxDepositSizeBP",
"offset": 0,
"slot": "209",
"type": "t\_uint256"
},
{
"astId": 2557,
"contract": "contracts/linkStaking/OperatorVCS.sol:OperatorVCS",
"label": "fundFlowController",
"offset": 0,
"slot": "210",
"type": "t\_contract(IFundFlowController)3608"
},

Impact

If the variables are not initialized, they would have incorrect values; for example, fundFlowController would reference 9000 converted into an address:

address test = 9000
Compiler errors:
Error (9574): Type int_const 9000 is not implicitly convertible to expected type address.
--> ReplContract.sol:16:9:
|
16 | address test = 9000;
| ^^^^^^^^^^^^^^^^^^^
address test = address(uint160(9000))
➜ test
Type: address
└ Data: 0x0000000000000000000000000000000000002328

And since it is not a valid address, the calls to fundFlowController would revert. In the case of maxDepositSizeBP, it would become 14, which is the currently stored value.

Tools Used

Recommendations

Respect the order of the previously defined variables, or alternatively replace them, for example, with:

- uint256 indexOfLastFullVault;
+ uint256 private __gap;
- bool preRelease;
+ bool private __gap1;
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.