DeFiLayer 1Layer 2
14,723 OP
View results
Submission Details
Severity: high
Invalid

Storage Collision in Upgradeable Contract Pattern

1. Summary

  • Severity: High

  • Category: Storage Management

  • Impact: Potential storage corruption leading to system-wide failure

  • Likelihood: High, especially during future upgrades


2. Affected Code

contract ScrvusdVerifierV1 {
// Storage slots of parameters
uint256[PROOF_CNT] internal PARAM_SLOTS = [
uint256(0), // filler for account proof
uint256(21), // total_debt
// ...existing code...
];
address public immutable SCRVUSD_ORACLE;
address public immutable BLOCK_HASH_ORACLE;
// Missing storage gap for upgrades
}
  • Contract: ScrvusdVerifierV1 & ScrvusdVerifierV2

  • Function: All storage-using functions

  • Lines Affected: All storage variables


3. Vulnerability Details

Root Cause

The contract inherits an upgradeable pattern but lacks storage gaps, risking storage collisions in future upgrades.

Attack Scenario

  1. ScrvusdVerifierV3 is deployed

  2. New storage variables are added

  3. Storage collision occurs with V2's PERIOD_SLOT

  4. Critical oracle data becomes corrupted


4. Proof of Concept (PoC)

contract StorageCollisionTest {
function testStorageCollision() public {
// Deploy V1
ScrvusdVerifierV1 v1 = new ScrvusdVerifierV1();
// Upgrade to V2
ScrvusdVerifierV2 v2 = new ScrvusdVerifierV2();
// Deploy V3 with colliding storage
contract ScrvusdVerifierV3 is ScrvusdVerifierV2 {
uint256 public newVariable; // Collides with PERIOD_SLOT
}
}
}

5. Recommended Fix

Proposed Solution

contract ScrvusdVerifierV1 {
// ...existing code...
// Reserve storage slots for future versions
uint256[50] private __gap;
}

Alternative Mitigation Strategies

  • Use OpenZeppelin's upgradeable contracts pattern

  • Document storage layout explicitly

  • Implement strict storage management policies


6. Severity Justification

  • Impact: High - Storage corruption could lead to:

    • Oracle price manipulation

    • System-wide failure

    • Loss of funds

  • Likelihood: High - Future upgrades are likely

Updates

Lead Judging Commences

0xnevi Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

[invalid] finding-upgradeable-verifier-contracts

Invalid, - srCRVUSD is a minimal proxy, meaning it can never by upgraded, see [here](https://www.cyfrin.io/blog/upgradeable-proxy-smart-contract-pattern#:~:text=Minimal%20proxies%20are%20distinct%20from,provide%20upgrade%20or%20authorization%20functionality.) and [here](https://www.rareskills.io/post/eip-1167-minimal-proxy-standard-with-initialization-clone-pattern) for more info. - Even if srcrvUSD is migrated in the future via a new minimal proxy contract deployment (which is highly unlikely), the verifier contracts can be migrated along with it via revoking the access-control within the `ScrvusdOracleV2.vy` and then granting access to a new oracle. This is also not within the scope of this contest.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.