Closed sherlock-admin2 closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low. "Storage Slot Collision issue" is Low according to the Sherlock documentation
PNS commented:
Simple contracts with one of the parent contract not implementing storage gaps are considered low/informational.
0xAadi commented:
Invalid: OOS
Tychai0s
medium
Lack of Storage gap in ProxyConstructor.sol
Title
Audit Report: Storage Slot Clash Risk in ProxyConstructor.sol
Summary
This report highlights a vulnerability in the
ProxyConstructor.sol
smart contract, specifically related to the lack of a storage gap after theinitialized
variable.Affected Code
https://github.com/sherlock-audit/2024-02-rubicon-finance/blob/main/gladius-contracts-internal/src/lib/ProxyConstructor.sol#L7
Vulnerability Detail
In
ProxyConstructor.sol:7
, the contract defines aninitialized
boolean variable without a subsequent storage gap. This poses a risk for future upgrades; if new variables are added afterinitialized
, their storage slots may clash with those of variables in inheriting contracts. This can lead to unpredictable behavior and data loss.Impact
The absence of a storage gap following the
initialized
variable can result in severe issues during contract upgrades, including but not limited to data corruption, loss of funds, or unintended contract behavior. This vulnerability undermines the upgradability feature by introducing potential conflicts in storage layout, which could be exploited or result in accidental loss of data integrity.Code Snippet
Tools Used
Manual Review
Recommendation
To mitigate this risk, it is recommended to introduce a storage gap immediately after the initialized variable. A common practice is to allocate one or more slots (e.g., uint256[50] private __gap;) as a buffer between the end of the last defined variable and the start of the next contract's storage layout. This strategy ensures that future variables added to the contract or its inheritors do not clash with existing storage slots, preserving data integrity across upgrades.