Open hats-bug-reporter[bot] opened 5 months ago
Storage gaps are used for contracts that are inherited. As the example with StakingServiceBase
, it is a base contract which is inherited by other pools, thus it features a gap. Other contracts like the manager, distributor, etc., are standalone contracts and would not face storage collision issues (unless variables are added inbetween existing ones, in which case the gap does not help)
Github username: -- Twitter username: -- Submission hash (on-chain): 0xbef1890d53e95fc678f72e9e2edc22e9863abbced087c64c1f72035daabf4efb Severity: medium
Description:
Description
None of the Convex protocol upgradable contracts include a __gap variable (besides StakingServiceBase). Without this variable, it is not possible to add any new variables to the inherited contracts without causing storage slot issues. Specifically, if variables are added to an inherited contract, the storage slots of all subsequent variables in the contract will shift by the number of variables added. Such a shift would likely break the contract.
Impact
this will cause storage slot issues when want to add new mechanisms.
PoC
contracts like this CVX1 and others which are upgradable actually missing __gap variable
and
Reccomendation
Recommend adding appropriate storage gap at the end of upgradeable contracts such as the below
uint256[50]private __gap;
uint256[50] private __gap; like this you used in StakingServiceBase