search

sherlock-audit / 2022-11-float-capital-judging

2 stars 1 forks source link

8olidity - Upgradeable contract is missing a `__gap[50]` storage variable to allow for new storage variables in later versions #27

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

8olidity

medium

Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

Summary

PoolToken.sol Missing Storage Gaps

Vulnerability Detail

See this link for a description of this storage variable. While some contracts may not currently be sub-classed, adding the variable now protects against forgetting to add it in the future.

contract PoolToken is AccessControlledAndUpgradeable, ERC20Upgradeable, ERC20BurnableUpgradeable, ERC20PermitUpgradeable, IPoolToken {
  /// @notice Role that is assigned to the single entity that is allowed to call mint
  bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");

Impact

PoolToken.sol Missing Storage Gaps

Code Snippet

https://github.com/sherlock-audit/2022-11-float-capital/blob/main/contracts/PoolToken/PoolToken.sol#L13

Tool used

Manual Review

Recommendation

uint256[50] private __gap;
JasoonS commented 1 year ago

Storage gaps are only required if you want to keep memory in a nice grouping.

This seems invalid - we have no desire to put new storage variables in-between old ones in the PoolToken.