Submission Details
Severity:
[M-4] Shared Storage Slot Risks Data Corruption in `RootProxy` Contract
Summary
Insecure storage slot allocation in RootUpgrade library allows cross-contract data collisions.
Vulnerability Details
Affected Code:
library RootUpgrade {
struct Data { ... }
function load() internal returns (Data storage s) {
bytes32 slot = keccak256("RootUpgrade");
assembly { s.slot := slot }
}
}
Proof of Concept:
// Attacker Contract
contract StorageAttacker {
// Same storage slot
bytes32 constant public slot = keccak256("RootUpgrade");
function corruptData() public {
assembly {
sstore(slot, 0xBAD1BAD1)
}
}
}
// Foundry Test
function test_storageCollision() public {
StorageAttacker attacker = new StorageAttacker();
attacker.corruptData();
RootUpgrade.Data storage ug = RootUpgrade.load();
assertEq(ug.selectorToBranch[0xdeadbeef], 0); // Fails with 0xBAD1BAD1
}
Exploit Validation:
Run test: forge test --match-test test_storageCollision
Result: Test fails due to corrupted storage
Impact
Branch Mapping Corruption: Protocol-wide malfunction
Severity: Medium (CVSS 5.3)
Tools Used
Storage layout analyzer
Foundry storage manipulation
Recommendations
// Use unique diamond storage slot
bytes32 constant ROOT_UPGRADE_STORAGE =
keccak256("com.zaros.protocol.rootupgrade.v1");
Prize pool breakdown
Total prize
70,000 USDC
nSLOC
3,25821 USDC / LOC
66,500
3,500
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.