Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`BaseAdapter` has a no storage gap for an upgrade.

qpzm

Summary

BaseAdapter has a no storage gap for an upgrade.
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/utils/dex-adapters/BaseAdapter.sol#L58

Vulnerability Details

For example, let's see CureAdapter storage layout.
address curveStrategyRouter comes right after uint256 deadline without any padding.
https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/utils/dex-adapters/CurveAdapter.sol

$ forge inspect CurveAdapter storage-layout
{
"storage": [
{
"astId": 10210,
"contract": "src/utils/dex-adapters/CurveAdapter.sol:CurveAdapter",
"label": "swapAssetConfigData",
"offset": 0,
"slot": "0",
"type": "t_mapping(t_address,t_struct(SwapAssetConfigData)10177_storage)"
},
{
"astId": 10213,
"contract": "src/utils/dex-adapters/CurveAdapter.sol:CurveAdapter",
"label": "slippageToleranceBps",
"offset": 0,
"slot": "1",
"type": "t_uint256"
},
{
"astId": 10216,
"contract": "src/utils/dex-adapters/CurveAdapter.sol:CurveAdapter",
"label": "deadline",
"offset": 0,
"slot": "2",
"type": "t_uint256"
},
{
"astId": 10488,
"contract": "src/utils/dex-adapters/CurveAdapter.sol:CurveAdapter",
"label": "curveStrategyRouter",
"offset": 0,
"slot": "3",
"type": "t_address"
}
],
// ...

Impact

The next upgrade cannot add any new storage variables to BaseAdapter without breaking the storage layout of inheriting contracts like CureAdapter.

Tools Used

Foundry

Recommendations

Add a storage gap in BaseAdapter as below.

uint256 deadline;
+ uint256[50] private __gap;

https://github.com/Cyfrin/2025-01-zaros-part-2/blob/main/src/utils/dex-adapters/BaseAdapter.sol#L58-L59
Reference: https://docs.openzeppelin.com/upgrades-plugins/writing-upgradeable#storage-gaps

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.