Severity: High
Category: Storage Management
Impact: Potential storage corruption leading to system-wide failure
Likelihood: High, especially during future upgrades
Contract: ScrvusdVerifierV1 & ScrvusdVerifierV2
Function: All storage-using functions
Lines Affected: All storage variables
The contract inherits an upgradeable pattern but lacks storage gaps, risking storage collisions in future upgrades.
ScrvusdVerifierV3 is deployed
New storage variables are added
Storage collision occurs with V2's PERIOD_SLOT
Critical oracle data becomes corrupted
Use OpenZeppelin's upgradeable contracts pattern
Document storage layout explicitly
Implement strict storage management policies
Impact: High - Storage corruption could lead to:
Oracle price manipulation
System-wide failure
Loss of funds
Likelihood: High - Future upgrades are likely
Invalid, - srCRVUSD is a minimal proxy, meaning it can never by upgraded, see [here](https://www.cyfrin.io/blog/upgradeable-proxy-smart-contract-pattern#:~:text=Minimal%20proxies%20are%20distinct%20from,provide%20upgrade%20or%20authorization%20functionality.) and [here](https://www.rareskills.io/post/eip-1167-minimal-proxy-standard-with-initialization-clone-pattern) for more info. - Even if srcrvUSD is migrated in the future via a new minimal proxy contract deployment (which is highly unlikely), the verifier contracts can be migrated along with it via revoking the access-control within the `ScrvusdOracleV2.vy` and then granting access to a new oracle. This is also not within the scope of this contest.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.