Missing Storage Gap Variable in Base Contract `StakingRewardsPool`
Summary
The StakingRewardsPool contract, serving as a base contract for StakingPool, lacks a storage gap. This omission can lead to storage collision issues in future upgrades, causing data corruption or unexpected behavior across the entire staking system.
Vulnerability Details
The StakingRewardsPool contract is designed as a base contract for StakingPool. It defines several state variables but crucially lacks storage gap:
https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/base/StakingRewardsPool.sol#L14
The absence of this gap means that any new variables added in future upgrades of StakingRewardsPool risk overwriting existing storage in StakingPool.
Impact
Future upgrades to
StakingRewardsPoolthat add new state variables will likely overwrite existing storage inStakingPool, leading to severe data corruption.The behavior of
StakingPoolmay become unpredictable after an upgrade, directly threatening user funds and the integrity of the entire staking system.It effectively prevents safe upgrades to the base
StakingRewardsPoolcontract, severely limiting the protocol's ability to evolve and fix potential issues.
Tools Used
Manual Review
This missing storage gap is NOT mentioned in the provided known issues.
Recommendations
Add storage gap variable after all of the storage variables to the StakingRewardsPool contract:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.