The StakingRewardsV2 is an upgradable contract, and it lacks a storage gap, which can lead to storage collisions during contract upgrades. This absence could corrupt storage and disrupt the functionality contract.
Vulnerability Detail
In upgradeable contracts, especially those inheriting from multiple base contracts, it is critical to include a storage gap in base contracts to ensure that new state variables introduced in future versions do not overwrite existing ones in derived contracts.
Without storage gaps, introducing new state variables inside the contract could potentially overwrite the initial storage layout of the child contracts, leading to severe malfunction or unintended behaviors in the system.
Tools Used
Manual Review
Recommendation
To mitigate this risk, it is recommended to include a storage gap in the contract. This can be done by adding a reserved space at the end of the contract’s storage layout, as shown below:
contract StakingRewardsV2 is
IStakingRewardsV2,
Ownable2StepUpgradeable,
PausableUpgradeable,
UUPSUpgradeable
{
// existing code...
// gap to reserve storage in the contract for future variable additions
+ uint256[50] private __gap;
}
This storage gap will safeguard against storage collisions and ensure that future upgrades can be made without risking unintended side effects.
10ap17
Medium
Missing Storage Gap
Summary
The
StakingRewardsV2
is anupgradable contract
, and it lacks astorage gap
, which can lead to storage collisions during contract upgrades. This absence could corrupt storage and disrupt the functionality contract.Vulnerability Detail
In
upgradeable contracts
, especially those inheriting from multiple base contracts, it is critical to include astorage gap
in base contracts to ensure thatnew state variables
introduced in future versions do not overwrite existing ones in derived contracts.For example, in the
StakingRewardsV2
contract, there is nostorage gap
declared, which could lead to unintended storage corruption if the base contract is upgraded in the future. https://github.com/sherlock-audit/2024-07-kwenta-staking-contracts/blob/main/token/contracts/StakingRewardsV2.sol#L24C1-L24C5Impact
Without
storage gaps
, introducing new state variables inside the contract could potentially overwrite the initial storage layout of the child contracts, leading to severe malfunction or unintended behaviors in the system.Tools Used
Recommendation
To mitigate this risk, it is recommended to include a
storage gap
in the contract. This can be done by adding a reserved space at the end of the contract’s storage layout, as shown below:This
storage gap
will safeguard against storage collisions and ensure that future upgrades can be made without risking unintended side effects.