dobrevaleri - Upgrades might cause storage collision #296
Comments
sherlock-admin4
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
sherlock-admin4
changed the title
dobrevaleri
Medium
Upgrades might cause storage collision
Summary
When creating upgradable contracts that inherit from other contracts is important that there are storage gap in case storage variable are added to inherited contracts. If an inherited contract is a stateless contract (i.e. it doesn't have any storage) then it is acceptable to omit a storage gap, since these function similar to libraries and aren't intended to add any storage.
The contracts
EthosAttestation,EthosDiscussion,EthosProfile,EthosReviewandEthosVoteinherit from the AccessControl and SignatureControl, which are abstract stateful contract. The lack of _gap in these contract could lead to storage collisions if another state variables are introduced.Root Cause
Missing storage gap in
AccessControlandSignatureControlcontractsInternal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
AccessControl and SignatureControl can pose a significant risk when updating a contract because they can shift the storage slots of all inherited contracts.
PoC
No response
Mitigation
Add storage gaps to all inherited contracts that contain storage variables.
The text was updated successfully, but these errors were encountered: