Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV2.sol#L57
If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades/ V2 version can read/write wrong slots.
Here is the table/list of variable, built taking into account the inheritance (it's different too) https://docs.google.com/spreadsheets/d/1ple2VeQjsUMnD1sCFK75euPDUrVG4HiNx37GIhtAFbk/edit?usp=sharing Red color - variable breaking the append-only principle.
Hardhat
Move everything to append-only sequence.
constants are not storage variable, and hence don't create storage slot collisions
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/45411325ec14c6d747b999a40367d3c5109b5a89/contracts/governance/NounsDAOLogicV2.sol#L57
Vulnerability details
Impact
If we list the sequence of how variables receive slots, we will see the failure to follow "append-only" principle. Many variable added "in-between" https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades/ V2 version can read/write wrong slots.
Proof of Concept
Here is the table/list of variable, built taking into account the inheritance (it's different too) https://docs.google.com/spreadsheets/d/1ple2VeQjsUMnD1sCFK75euPDUrVG4HiNx37GIhtAFbk/edit?usp=sharing Red color - variable breaking the append-only principle.
Tools Used
Hardhat
Recommended Mitigation Steps
Move everything to append-only sequence.