Storage Collision in LevelTwo Due to Mismatched Storage Layout
Summary
Upgradeable contracts using proxy patterns (like UUPS) rely on a strict invariant: the storage layout must remain compatible across implementations. Any deviation or reordering can cause storage slot collisions, where a new variable overwrites an existing variable at the same storage slot.
Vulnerability Details
Upgradeable contracts using proxy patterns (like UUPS) rely on a strict invariant: the storage layout must remain compatible across implementations. Any deviation or reordering can cause storage slot collisions, where a new variable overwrites an existing variable at the same storage slot.
The problem begins at slot 2, where schoolFees (from LevelOne) gets overwritten by sessionEnd (from LevelTwo). This continues down the layout, breaking multiple assumptions and corrupting the state.
This silent corruption is not reversible, and because Solidity does not enforce storage layout compatibility across upgrades, it will not raise any compile-time or deploy-time warnings.
Impact
State Corruption: Legitimate state variables from LevelOne are silently overwritten.
If bursary or payout logic uses corrupted variables, funds could be misrouted or drained.
Once upgraded, storage is permanently altered. There is no rollback without redeployment.
Tools Used
Manual code review
Storage Layout Inspection
Recommendations
Ensure exact matching storage layout between LevelOne and LevelTwo.
Declare _gap like this to leave room for future variables:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.