search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

No storage gap in upgradeable contracts might lead to storage slot collision #131

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L1

Vulnerability details

As mentioned in the contest's page, all the smart contracts are upgradeable so it is necessary to add at the end of the contracts a storage gap

storage gap is a must for upgradeable contract because it let the devs to add new state variables in the future without compromising the storage compatibility with existing deployments

To solve the issue, add uint256[50] private __gap at the end of upgradeable contracts

Assessed type

Upgradable

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #49

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid