065.md

Fancy Rusty Camel

High

The DecentralizedIndex contract is missing storage gap variable, which could lead to storage collision in updates

Summary

The DecentralizedIndex contract is used as a base contract for the WeightedIndex. These two contracts contracts make up the Pod, which is one the main components of the whole system. However the DecentralizedIndex is missing a storage gap variable. If an update is made and new variables are added to the contract, there will be a storage collision. This will possibly lead to corrupting critical protocol state variables.

Root Cause

The contract inherits from OpenZeppelin's upgradeable contracts but doesn't implement a storage gap (uint256[50] private __gap;). Storage gaps are essential in upgradeable contracts to reserve storage slots for future variable additions. https://github.com/sherlock-audit/2025-01-peapods-finance/blob/d28eb19f4b39d3db7997477460f9f9c76839cb0c/contracts/contracts/DecentralizedIndex.sol#L17

Internal Pre-conditions

Contract must be upgraded in the future with new state variables.

External Pre-conditions

None

Attack Path

1. Protocol deploys WeightedIndex which inherits the current version of DecentralizedIndex.
2. Future upgrade adds new variables.
3. Storage collision occurs with child contract's variables, corrupting state.

Impact

1. Storage collisions could corrupt critical protocol variables
2. User funds could be lost or permanently locked due to corrupted token accounting
3. Impact scope includes all existing Pods, their users, and protocol integrations

PoC

None

Mitigation

Add storage gap to DecentralizedIndex:

+ uint256[50] private __gap;