Renaming of constants creates inconsistency in the upgrade process
Summary
The renaming of constants (TEACHER_WAGE to TEACHER_WAGE_L2 and PRINCIPAL_WAGE to PRINCIPAL_WAGE_L2) is a vulnerability as it creates inconsistency in the upgrade process. Missing details on why the new naming , we are not sure if the inteded purpose is to add additional variables or repalce existing.
Vulnerability Details
The constant names are changed between contracts:
Issues:
resulting bytecode will be different
Inconsistent naming convention breaks upgrade compatibility
No validation for constant name changes
Potential for confusion in contract interaction
Error prone since devs would need to update those new variabke names everywhere
Impact
Upgrade Compatibility: Breaks the upgrade pattern or makes it a lot harder to update, due the need for detailed check if names properly changed on all occurencies
Code Maintainability: Creates confusion in contract interaction
Contract Integrity: Undermines the upgrade process
Harder documentation: Documentations need to be changed everytime with the new name
Verification: need to re-verify the contract with the new source code
Tools Used
Manual code review
Recommendations
Maintain consistent constant names across versions
Use storage gaps to prevent collisions
Add validation for constant changes
Document any necessary constant changes
Consider implementing a migration function for constant changes
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.