Closed code423n4 closed 1 year ago
trust1995 marked the issue as unsatisfactory: Out of scope
tom2o17 marked the issue as sponsor disputed
Compound upgradable contracts comply with EIP-897 standard for upgradable contracts. As such Implementation contracts are aware of the storage layout of the proxy contract.
Any upgrades made to the token will be in the following pattern here.
Which should not break the storage layout set forth by the initial implementation contract.
cc @ypatil12 @cameronclifton
Lines of code
https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/tokens/cCash/CCash.sol#L16
Vulnerability details
Impact
There is a possibility of storage collision, when you upgrade the implementation contract in the https://github.com/code-423n4/2023-01-ondo/blob/main/contracts/lending/tokens/cCash/CCash.sol#L16. This could happen because the storage in the smart contract is stored the storage value from the left to the right, and if you add a new var to the storage contract it will push the storage value in the second inheritance to the next slot.
Proof of Concept
This is a simple POC that could demonstrate it:
if you try this code demonstration, you can see that the storage value can be mapped as.
And if you upgrade the contract by uncomment the storageAddition, the storage mapped would be
as you can see the value 10 is being push to the slot 3.
And as you can see in this snippet of code
contract CCash is CTokenCash, CErc20Interface
the CCash contract inherit the CtokenCash which inherit CTokenInterface and then inherit CTokenStorage which mapped the storage layout, and then the CErc20Interface inherit CErc20Storage which will stored the underlying var. from this we can mapped the storage layout as this.If you add a new variable in the CTokenStorage, whether you are trying to add some feature or what not, the underlying var will be push to the slot n+2, and now everytime the contract call underlying it would be address(0) the mapped storage layout would be
Since you are using a proxy for this smart contract, you have to be mindful of the storage layout of the proxy, so it's not pointing to the wrong slot