Liquid Staking

Summary

The contracts mentioned below use a storage gap that's too small. This limits the contract's ability to be safely upgraded in the future. If developers try to add too many new features during an upgrade, it could overwrite important data and potentially cause the loss of user funds.

Vulnerability Details

The following contracts have a small storage gap

- [Vault.sol](https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/linkStaking/base/Vault.sol#L30)

- [VaultControllerStrategy.sol](https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/linkStaking/base/VaultControllerStrategy.sol#L362)

The contract includes a storage gap, which is meant to reserve space for future upgrades

The small gap create the following problems:

1. Limited space for upgrades: The gap only allows few new variables in future versions.

9 for Vault.sol and 4 for VaultControllerStrategy.sol

This isn't enough for most significant upgrades.

2. Risk of overwriting data: If a future upgrade adds more than allowed variables, it could accidentally overwrite existing important data in the contract.

3. Restricted improvements: The small gap makes it hard to add new features or make big changes to the contract in the future.

Impact

1. Restricted upgradability: The contract's ability to be upgraded is severely limited, potentially preventing necessary improvements or feature additions in the future.

2. Data corruption risk: If an upgrade exceeds the small gap, it could overwrite existing contract data, leading to unexpected behavior and possible loss of funds or critical information.

Tools Used

Manual Review

Recommendations

Expand the storage gap significantly. A common practice is to use 50 or more slots