search

hats-finance / SafeStaking-by-HOPR-0x607386df18b663cf5ee9b879fbc1f32466ad5a85

HOPR is an open incentivized mixnet which enables privacy-preserving point-to-point data exchange. HOPR is similar to Tor but actually private, decentralized and economically sustainable.
https://hoprnet.org
GNU General Public License v3.0
0 stars 1 forks source link

Missing storage gap for upgradeable contracts #15

Open hats-bug-reporter[bot] opened 12 months ago

hats-bug-reporter[bot] commented 12 months ago

Github username: @jonsey Submission hash (on-chain): 0x42758020f253bfa1df3b931feff54de329f8ed59862bbcca93e060db48a21915 Severity: medium

Description:

Description

Storage gaps are a convention for reserving storage slots in a base contract, allowing future versions of that contract to use up those slots without affecting the storage layout of child contracts.

The existing HoprNodeManagementModule is a child module of SimplifiedModule, which inherits from OwnableUpgradeable. The critical issue here is that there is no storage gap defined in SimplifiedModule. This means that if an upgrade to SimplifiedModule occurs at any point, and a new variable is added, the variable address public multisend; could be overwritten. Such an event could have severe implications for the protocol's integrity.

Openzeppelin Storgae Gaps recommendation

Recommendation

Add an appropriate storage gap at the end of SimplifiedModule as recommended by openzeppelin in this link Openzeppelin Storgae Gaps recommendation

uint256[50] private __gap;
QYuQianchen commented 11 months ago

Thank you for your submission. The upgradeabiliy of module contract is not intended to be invoked when adding new variables. However, this generic recommandation is valid, thus still accept as valid submission