Upgradeable contracts should implement a storage gap

[hats-bug-reporter[bot]]

Github username: @Madalad Submission hash (on-chain): 0xec1b7ad92bf3ad91b04dd5724e4106942eebc0610138e215204336808154e693 Severity: low

Description: Description\ A storage gap is empty reserved space in storage that is put in place in Upgradeable contracts. It allows us to freely add new state variables in the future without compromising the storage compatibility with existing deployments. It is typically implemented as a fixed length uint array named __gap at the end of an upgradeable smart contract

It isn’t safe to simply add a state variable because it "shifts down" all of the state variables below in the inheritance chain. This makes the storage layouts incompatible, as explained in Writing Upgradeable Contracts. The size of the __gap array is calculated so that the amount of storage used by a contract always adds up to the same number (usually 50 storage slots).

The following contracts are upgradeable but lack storage gaps:

• https://github.com/Cvg-Finance/hats-audit/blob/main/contracts/CloneFactory.sol
• https://github.com/Cvg-Finance/hats-audit/blob/main/contracts/CvgControlTower.sol

Attack Scenario\ Without a storage gap, there is a high risk of storage collisions when smart contracts are upgraded, which have extreme and significant consequences.

Recommendation\ Add storage __gap variables to CloneFactory and CvgControlTower.

Files:

• CloneFactory.sol (https://hats-backend-prod.herokuapp.com/v1/files/QmTdHthCSPEzy8QUiMqswaEF4n9FsLUvVWgq86RAWysAcH)
• CvgControlTower.sol (https://hats-backend-prod.herokuapp.com/v1/files/QmZerLuxiucWQmUh212i8icUBBhatjmThyDn5rC7FHTojR)

[shalbe-cvg]

Hello, Thanks a lot for your attention.

First of all, these contracts were not labelled in the scope of this audit contest but we still decided to analyze your issue. The two contracts you mentioned are not following an inheritance pattern and therefore do not need any storage gaps.

We have so to consider this issue as Invalid.