StakingPool inherited a contract that does not have a storage gap
Summary
The StakingPool contract inherits the StakingRewardsPool contract; this makes the stakingPool an upgradeable contract. The StakingRewardsPool contract does not include a storage gap to reserve storage slots for future variables. In the context of upgradeable contracts, it is critical to reserve storage space for future upgrades by leaving an unused storage gap.
Vulnerability Details
Impact
Variable Overwrites: If a new variable is added to StakingRewardsPool during a future upgrade, it could overwrite storage slots already occupied by variables in the StakingPool contract leading to unpredictable behavior.
Loss of State Integrity: Critical state variables could be overwritten, leading to contract malfunctions such as incorrect access control, loss of funds, or unintended behavior.
Tools Used
Manual Review
Recommendations
To avoid future storage collisions, add a storage gap in StakingRewardsPool. A storage gap is typically an array of unused storage slots that allows for future upgrades without overwriting existing storage slots.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.