Missing storage gaps in upgradeable contract
The upgradeable contracts lack storage gap variables, increasing the risk of storage collisions during future upgrades when new state variables are added to parent contracts.
Description
The upgradeable contracts lack storage gap variables (__gap). Storage gaps reserve storage slots for future versions, preventing storage collisions when new state variables are added during upgrades of parent contracts.
Impact
Future upgrades that add state variables to parent contracts could overwrite or shift the layout of derived contract variables, leading to corrupted storage and incorrect behaviour.
Recommendation
Add a storage gap at the end of the contract to reserve slots for future upgrades:
// Reserved storage space to allow for layout changes in the future.uint256[50] private __gap;
This should be placed just before the closing brace of the contract. The size of the gap (50 in this example) can be adjusted based on anticipated future needs, but 50 is a common value used in OpenZeppelin's upgradeable contracts.
Resolution
Ipal Network: Confirmed. We agreed with the recommendation.
Zealynx: Not Fixed: Neither contract implements storage gaps. The main KnowledgeMarket.sol contract lacks the recommended uint256[50] private __gap; variable to reserve storage slots for future upgrades.
UPDATE: Fixed.
