Incorrect ERC-7201 standard implementation
Summary
Several local constant values in the leaf libraries do not comply with the ERC-7201 standard. For example, the ASSET_SWAP_STRATEGY_LOCATION constant in the AssetSwapPath library does not comply with the ERC-7201 standard due to incorrect storage slot derivation. This deviation introduces risks of storage collisions and unintended data corruption when interacting with other contracts or libraries that follow the ERC-7201 standard.
Vulnerability Details
ERC-7201 mandates that storage slots must be aligned to 256-byte boundaries by clearing the last byte (via & ~bytes32(uint256(0xff))). However, the current implementation omits this step, resulting in a storage slot that may not align with the standard. For example, the ASSET_SWAP_STRATEGY_LOCATION constant in the AssetSwapPath library does not comply with the ERC-7201 standard
It lacks & ~bytes32(uint256(0xff))
The same issue exists in Collateral, CreditDelegation , DexSwapStrategy , LiveMarkets , Market , MarketMakingEngineConfiguration , StabilityConfiguration , Swap , UsdTokenSwapConfig , Vault , and WithdrawalRequest .
Reference:
https://eips.ethereum.org/EIPS/eip-7201
Impact
Incorrect ERC-7201 standard implementation will introduce risks of storage collisions and unintended data corruption when interacting with other contracts.
The impact is High, the likelihood is Low, so the severity is Medium.
Tools Used
Manual Review
Recommendations
Consider including the asset into the id and adding & ~bytes32(uint256(0xff)) to ensure the slot aligns with 256-byte boundaries. For example:
Lead Judging Commences
ERC7201 implemented incorrectly
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.