LACK OF STORAGE GAP FOR UPGRADEABLE CONTRACTS. #773
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
C4-Staff
added a commit
that referenced
this issue
Jan 6, 2023
|
GalloDaSballo marked the issue as duplicate of #300 |
|
GalloDaSballo marked the issue as not a duplicate |
|
L |
c4-judge
added
downgraded by judge
|
GalloDaSballo changed the severity to QA (Quality Assurance) |
|
What makes this unique from #300? |
|
@0xju1ie It is not unique, but we rate QA reports separately so we dedoup them |
c4-judge
added
grade-c
unsatisfactory
|
GalloDaSballo marked the issue as grade-c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/upgradeable/ERC20Upgradeable.sol#L10
https://github.com/code-423n4/2022-12-gogopool/blob/aec9928d8bdce8a5a4efe45f54c39d4fc7313731/contracts/contract/tokens/upgradeable/ERC4626Upgradeable.sol#L11
Vulnerability details
Impact
Adding new variables in future versions shifts the inheritance chain
Proof of Concept
A storage gap allows new variables to be added in future versions of the contracts without changing the inheritance chain. see https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps for further explanation
Tools Used
Manual
Recommended Mitigation Steps
Add a storage gap similar to https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/25aabd286e002a1526c345c8db259d57bdf0ad28/contracts/token/ERC20/ERC20Upgradeable.sol#L400
The text was updated successfully, but these errors were encountered: