Several libraries are not ERC7201 compliant
Summary
Several libraries don't follow strictly the ERC7201 formula.
Vulnerability Details
The AssetSwapPath, Collateral, CreditDelegation, DexSwapStrategy, LiveMarkets, Market, MarketMakingEngineConfiguration, Swap, UsdTokenSwapConfig, Vault, WithdrawalRequest libraries don't follow exactly the formula prescribed by ERC-7201: keccak256(abi.encode(uint256(keccak256(bytes(id))) - 1)) & ~bytes32(uint256(0xff)).
If we consider the storage location from DexSwapStretegy library:
this will give the following result: 0xf3be8de7606a57190c7fdb4ad92f0badfc4dbea37908a77169bed41d0057c840.
If we apply the exact ERC7201 formula:
Then the result will be: 0xf3be8de7606a57190c7fdb4ad92f0badfc4dbea37908a77169bed41d0057c800.
Impact
The omitted part of the ERC7201 formula: & ~bytes32(uint256(0xff)) guarantees the last byte is 0x00 and this ensures proper storage alignment in future upgrades. The current version ignores this and the created slots don't end with 00 as the rightmost bytes. The protocol is expected to be ERC-7201 compatible, several libraries are prone to storage collision if not follow the specification. Failure to comply with ERC712 can lead to integration issues.
Tools Used
Manual Review
Recommendations
Used the exact ERC7201 formula to calculate the required storage slot in the AssetSwapPath, Collateral, CreditDelegation, DexSwapStrategy, LiveMarkets, Market, MarketMakingEngineConfiguration, Swap, UsdTokenSwapConfig, Vault, WithdrawalRequest libraries.
Lead Judging Commences
ERC7201 implemented incorrectly
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.