Incorrect ReentrancyGuard Version Used in Upgradeable `StabilityPool` Contract
Summary
The StabilityPool contract is intended to be upgradeable; however, it imports the non-upgradeable version of ReentrancyGuard from OpenZeppelin. This can lead to issues, as the non-upgradeable version does not have the necessary initializers and storage gap reserved for upgradeable contracts, which are essential for proxy-based upgradeability mechanisms.
Vulnerability Details
The StabilityPool contract is designed to be upgradeable, meaning it is deployed behind a proxy and should use OpenZeppelin’s upgradeable libraries. However, it incorrectly imports the non-upgradeable version of ReentrancyGuard, which lacks:
-
Initializers: Upgradeable contracts do not use constructors; instead, they rely on initializer functions to set up contract state.
-
Storage Gap: Upgradeable contracts reserve storage slots to maintain compatibility across upgrades. The non-upgradeable version does not include this.
Impact
This mismatch can lead to storage collisions and malfunctioning upgrades, potentially breaking the contract’s security guarantees.
Tools Used
Recommendations
Use the upgradeable version of ReentrancyGuard
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.