Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-12-PREPO-FINDINGS-ISSUES-320
HistoryDec 12, 2022 - 12:00 a.m.

Storage collision in Collateral.sol

2022-12-1200:00:00
Code4rena
github.com
6
storage collision
collateral.sol
upgradeable contract
basetoken
basetokendenominator
proxy contract
miscalculation
deposit
withdraw
mitigation steps
JSON

Lines of code

Vulnerability details

Vulnerability details

collateral.sol is an upgradeable contract. Upgradeable contracts should not use the constructor to initialize variables, as these will be set in the contract storage of the implementation contract, instead of the intended contract storage of the proxy contract (more information can be found here: <https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies#the-constructor-caveat&gt;)

However, collateral.sol is using the constructor to set the baseToken and baseTokenDenominator values.

Impact

If the contract is using baseToken or baseTokenDenominator, it will point to storage slots in the proxy contract which are used by other variables, resulting in a miscalculation of _collateralMintAmount in deposit() and _baseTokenAmount in withdraw, as they’re both relying on the baseTokenDenominator variable.

This will result in users receiving too many/few collateral tokens when depositing the underlying base token or withdrawing too many/few when using the withdraw() funtion.

Tool Used

Manual Review

Recommended Mitigation Steps

Initialize the baseToken and baseTokenDenominator variables in the initializer instead of the constructor.

The text was updated successfully, but these errors were encountered:

πŸ‘Ž 1 trust1995 reacted with thumbs down emoji

All reactions

  • πŸ‘Ž 1 reaction
JSON