Fierce Coral Turkey
Medium
We want to acknowledge that, according to the Sherlock rule set, findings related to storage gaps are generally out of scope:
Use of Storage gaps: Simple contracts with one of the parent contract not implementing storage gaps are considered low/informational.
However, there is an important exception to this rule:
- Exception: However, if the protocol design has a highly complex and branched set of contract inheritance with storage gaps inconsistently applied throughout and the submission clearly describes the necessity of storage gaps it can be considered a valid medium.
In this case, the protocol inconsistently applies storage gaps across several of its upgradeable contracts. For example:
In MorphToken.sol, the __gap
storage is correctly implemented:
import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
//...Some code
uint256[38] private __gap;
}
However, other upgradeable contracts, such as Distribute.sol, do not implement storage gaps:
import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
import {EnumerableSetUpgradeable} from "@openzeppelin/contracts-upgradeable/utils/structs/EnumerableSetUpgradeable.sol";
//... Some code but no storage gap
The same is true for Gov.sol, which also lacks a storage gap.
The governance contract is central to the protocol, handling proposal logic and voting. Without storage gaps, upgrades to this contract could lead to storage corruption, potentially causing issues across dependent contracts.
Similarly, Distribute.sol
, responsible for delegation, undelegation, and claim logic, is also vulnerable to such corruption. Given the high importance of these contracts and their use across other contracts throughout the protocol, the lack of storage gaps could lead to a serious issue.
Please note that the storage gap is absent not only in the contracts mentioned above, but for the purposes of this report, we have chosen to highlight some examples.
Ensure that storage gaps are properly implemented where necessary