Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing storage gap in AbstractStrategy may affect contract upgradeability #42

Open
c4-submissions opened this issue Sep 27, 2023 · 12 comments
Open

Missing storage gap in AbstractStrategy may affect contract upgradeability #42

c4-submissions opened this issue Sep 27, 2023 · 12 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-09-asymmetry/blob/main/contracts/strategies/AbstractStrategy.sol#L8

Vulnerability details

Summary

The AbstractStrategy contract is intended to be used as a base contract for upgradeable strategies but doesn't contain any storage gap to ensure enough space for future revisions.

Impact

In the AfEth protocol, strategies extend a base contract named AbstractStrategy. Currently, there's only one implemented strategy (VotiumStrategy) that inherits from this base contract.

While the AbstractStrategy contract currently doesn't provide any concrete functionality, is it possible to extend its implementation in a future version, as this is an abstract contract that can allow partial implementations.

Being part of an inheritance chain of upgradeable contracts, it is crucial to maintain the storage layout. Any base contract that might eventually require storage space must reserve it in advance.

The current implementation of AbstractStrategy overlooks this consideration. Any future revision of this contract that may require defining and using storage variables will have its storage space clashing with the contract next in the chain.

Recommendation

To resolve this issue, add a dummy storage gap array to reserve storage space for future additions to the contract.

  abstract contract AbstractStrategy is
      Initializable,
      ReentrancyGuardUpgradeable,
      ERC20Upgradeable
  {
+     uint256[50] private __gap;

Assessed type

Upgradable
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 27, 2023
c4-submissions added a commit that referenced this issue Sep 27, 2023
@c4-submissions
adriro issue #42
7c40714
@toshiSat toshiSat mentioned this issue Sep 29, 2023
Closed
@elmutt
Copy link

elmutt commented Sep 30, 2023

asymmetryfinance/afeth#161

@elmutt elmutt mentioned this issue Sep 30, 2023
Merged
@c4-judge
Copy link
Contributor

c4-judge commented Oct 3, 2023

0xleastwood marked the issue as primary issue

@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Oct 3, 2023
@0xleastwood
Copy link

Technically, ERC20Upgradeable already has a storage gap so could be modified to allow for new variables in AbstractStrategy but I think it makes sense to have this also in the abstract contract.

@c4-judge
Copy link
Contributor

c4-judge commented Oct 4, 2023

0xleastwood marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Oct 4, 2023
@c4-sponsor
Copy link

elmutt (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Oct 4, 2023
@d3e4
Copy link

d3e4 commented Oct 5, 2023

Technically, ERC20Upgradeable already has a storage gap so could be modified to allow for new variables in AbstractStrategy but I think it makes sense to have this also in the abstract contract.

Doesn't this mean that the issue is invalid? Since AbstractStrategy is ERC20Upgradeable and ERC20Upgradeable has a storage gap, then AbstractStrategy does have a storage gap, after all.

@romeroadrian
Copy link

Technically, ERC20Upgradeable already has a storage gap so could be modified to allow for new variables in AbstractStrategy but I think it makes sense to have this also in the abstract contract.

Doesn't this mean that the issue is invalid? Since AbstractStrategy is ERC20Upgradeable and ERC20Upgradeable has a storage gap, then AbstractStrategy does have a storage gap, after all.

That's space reserved for the ERC20Upgradeable contract, which is a third-party library. Taking space from that would eventually clash storage with that contract itself. This is even considering the protocol is aware of the issue, which is correctly raised here :)

@MiloTruck
Copy link

The finding is valid, but according to the org repo "Missing storage gap" issues have always been judged as Low/NC:

@romeroadrian
Copy link

The finding is valid, but according to the org repo "Missing storage gap" issues have always been judged as Low/NC:

I have this one as a reference of med severity
code-423n4/2023-01-biconomy-findings#261

I think this particular case is quite relevant since AbstractStrategy is the foundation of strategies, an d strategies are expected to be added in the future.

@0xleastwood
Copy link

Didn't realise we were standardizing these types of issues. Good to see that's happening, however, I think context of the issue is always important. I would agree that the assumption being made here is that a future upgrade would be done incorrectly and would not be tested in any way. I'm gonna side with @MiloTruck on this one.

@c4-judge
Copy link
Contributor

c4-judge commented Oct 6, 2023

0xleastwood marked the issue as not selected for report

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Oct 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Oct 6, 2023

0xleastwood changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@romeroadrian @elmutt @MiloTruck @0xleastwood @c4-judge @c4-sponsor @d3e4 @C4-Staff @c4-submissions