Incorrect size of `__gap` variable in VoterUpgradeableV1_2.sol.

[hats-bug-reporter[bot]]

Github username: @rilwan99 Twitter username: Ril11111 Submission hash (on-chain): 0xeae3d33c8222565cc65c2507d01a7610d811df60b123f11e40cd0657762ed133 Severity: medium

Description: Description\ Storage gaps are utilized by upgradeable contracts to reserve space in storage for future state variables in new implementation versions. VoterUpgradeable.sol reserves 50 storage slots for future version of the implementation via uint256[50] __gap.

VoterUpgradeableV1_2.sol is a new version of the implementation that adds new state variables. As it is also an upgradeable contract, it must reserve storage slots for future implementations. However, it incorrectly does so by using uint256[50] __gap. Instead, it should be uint256[49] __gap. This is because the following new state variable was added:

uint256 public distributionWindowDuration;

See (https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#storage-gaps)

Attack Scenario\ If this incorrect gap size is not addressed:

1. Future upgrades might unknowingly use storage slots that overlap with distributionWindowDuration, potentially leading to data corruption.
2. Subsequent upgrades could introduce storage layout conflicts, causing unexpected behavior or vulnerabilities in the contract's state management.
3. It may become difficult to accurately track available storage slots for future upgrades, increasing the risk of storage collision in later versions.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional) Replace uint256[50] private __gap on line 977 in VoterUpgradeableV1_2.sol with uint256[49] private __gap.

[0xmahdirostami]

16