sherlock-admin4
commented
8 months ago 2 comment(s) were left on this issue during the judging contest.
WangAudit commented:
invalid; low; fallse under Sherlock'rules about future issues
takarez commented:
invalid
bareli
medium
No Storage Gap for Upgradeable Contract Might Lead to Storage Slot Collision
Summary
For upgradeable contracts, there must be storage gap to "allow developers to freely add new state variables in the future without compromising the storage compatibility with existing deployments" (quote OpenZeppelin). Otherwise it may be very difficult to write new implementation code. Without storage gap, the variable in child contract might be overwritten by the upgraded base contract if new variables are added to the base contract. This could have unintended and very serious consequences to the child contracts, potentially causing loss of user fund or cause the contract to malfunction completely. Refer to the bottom part of this article: https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable
Vulnerability Detail
abstract contract Blacklist is AccessControlUpgradeable {
abstract contract StablecoinHandler is AccessControlUpgradeable, PausableUpgradeable {
contract ProxyFactory is AccessControlUpgradeable, IBeacon {
Impact
Code Snippet
https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/main/telcoin-contracts/contracts/util/abstract/Blacklist.sol#L12
Tool used
Manual Review
Recommendation
Recommend adding appropriate storage gap at the end of upgradeable contracts such as the below. Please reference OpenZeppelin upgradeable contract templates.
uint256[50] private __gap;