Magic Rainbow Locust
High
The introduction of unexpected storage variables in TellerV2Context will cause a storage slot collision leading to unauthorized modification of the protocol’s critical data as an attacker who controls the upgrade path can deploy a malicious upgrade to overwrite existing variables.
In TellerV2Storage.sol:133-139, the TellerV2Context contract, which was not intended to introduce storage variables, declares mappings such as _trustedMarketForwarders and _approvedForwarderSenders. These additions are not accounted for in the inherited storage layout, causing storage slot collisions and allowing malicious upgrades to overwrite critical existing state.
No response
No response
- The attacker (who controls or compromises the entity responsible for upgrades) proposes a new implementation contract of
TellerV2Contextthat includes malicious storage variables. - Upon upgrade, the introduced storage variables occupy the same slots as previously declared variables in
TellerV2Storage. - The original critical data (addresses, configuration parameters, etc.) is overwritten by the attacker’s chosen values.
- With the data overwritten, the attacker gains unauthorized permissions or access to privileged functions, allowing them to extract funds or alter system behavior at will.
The protocol and its users suffer complete compromise of their expected state integrity. Critical parameters, roles, and balances can be overwritten, potentially enabling the attacker to:
- Grant themselves administrative privileges
- Redirect fee payments or loan proceeds
- Misrepresent repayment or collateral requirements
This can lead to severe financial loss for lenders, borrowers, and the protocol’s treasury. While the attacker gains privileged access and can siphon funds, the protocol’s stakeholders lose trust and value.
No response
No response