Skip to content

Latest commit

 

History

History
46 lines (28 loc) · 2.65 KB

071.md

File metadata and controls

46 lines (28 loc) · 2.65 KB
Raw

Fierce Coral Turkey

Medium

storage gap is inconsistenly implemented

Description

We want to acknowledge that, according to the Sherlock rule set, findings related to storage gaps are generally out of scope:

Use of Storage gaps: Simple contracts with one of the parent contract not implementing storage gaps are considered low/informational.

However, there is an important exception to this rule:

  1. Exception: However, if the protocol design has a highly complex and branched set of contract inheritance with storage gaps inconsistently applied throughout and the submission clearly describes the necessity of storage gaps it can be considered a valid medium.

In this case, the protocol inconsistently applies storage gaps across several of its upgradeable contracts. For example:

In MorphToken.sol, the __gap storage is correctly implemented:

import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";

//...Some code
    uint256[38] private __gap;
}

However, other upgradeable contracts, such as Distribute.sol, do not implement storage gaps:

import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
import {EnumerableSetUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/structs/EnumerableSetUpgradeable.sol";

//... Some code but no storage gap

The same is true for Gov.sol, which also lacks a storage gap.

The governance contract is central to the protocol, handling proposal logic and voting. Without storage gaps, upgrades to this contract could lead to storage corruption, potentially causing issues across dependent contracts.

Similarly, Distribute.sol, responsible for delegation, undelegation, and claim logic, is also vulnerable to such corruption. Given the high importance of these contracts and their use across other contracts throughout the protocol, the lack of storage gaps could lead to a serious issue.

Please note that the storage gap is absent not only in the contracts mentioned above, but for the purposes of this report, we have chosen to highlight some examples.

Recommendation

Ensure that storage gaps are properly implemented where necessary