Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Non-upgradable reentrancyGuard imported in StabilityPool contract

vladislavvankov0

Summary

The StabilityPool contract is designed as an upgradable contract, yet it imports and inherits from the non-upgradeable ReentrancyGuard. This can result in storage layout mismatches and potential upgrade issues, affecting long-term contract stability.

Vulnerability Details

Inconsistent Import:
The contract currently imports:

import "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
whereas, for upgradable contracts, the upgradable version should be used:

import "@openzeppelin/contracts-upgradeable/security/ReentrancyGuardUpgradeable.sol";
Implications:
- Storage Layout Mismatch:
  Non-upgradeable contracts have a fixed storage layout. Using a non-upgradeable ReentrancyGuard in an upgradable contract may lead to conflicts during upgrades, since the proxy pattern relies on consistent storage layout across versions.
- Initialization Issues:
  Upgradable contracts require explicit initialization of inherited contracts. The non-upgradeable ReentrancyGuard does not support this, potentially causing uninitialized state variables or misaligned storage.
Maintainability:
The presence of non-upgradeable components in an upgradable contract can cause confusion among developers and auditors, and may lead to future upgrade risks.

Impact

While the immediate functionality of the contract is not compromised, the use of a non-upgradeable ReentrancyGuard increases the risk of subtle bugs during future upgrades or migrations.

If the contract is upgraded, mismatches in storage layout between the non-upgradeable ReentrancyGuard and its upgradable counterpart could result in unexpected behavior or require complex migrations.

Tools Used

Manual review

Recommendations

Use the Upgradable Version:
Replace the current import with:

import "@openzeppelin/contracts-upgradeable/security/ReentrancyGuardUpgradeable.sol";
Adjust Inheritance:
Modify the contract declaration to inherit from ReentrancyGuardUpgradeable:

contract StabilityPool is IStabilityPool, Initializable, ReentrancyGuardUpgradeable, OwnableUpgradeable, PausableUpgradeable {
Initialize the Reentrancy Guard:
In the initialize function, include the initialization call:

function initialize(/* parameters */) public initializer {
__ReentrancyGuard_init();
// existing initialization logic...
}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!