# #45368 \[SC-Insight] Corruptible Upgradability Pattern **Submitted on May 13th 2025 at 11:10:07 UTC by @Anirruth for** [**Audit Comp | Flare | FAssets**](https://immunefi.com/audit-competition/audit-comp-flare-fassets) * **Report ID:** #45368 * **Report Type:** Smart Contract * **Report severity:** Insight * **Target:** * **Impacts:** * Contract fails to deliver promised returns, but doesn't lose value * Corruptible Upgradability Pattern ## Description ## Brief/Intro Upgradeable smart contracts without proper storage gaps present a critical vulnerability where storage collisions can occur during contract upgrades. When new variables are added contract during an upgrade, they can overwrite existing variables, corrupting the contract state ## Vulnerability Details The vulnerability occurs when upgradeable contracts fail to implement storage gaps (\_\_gap) to reserve space for future state variables. If the owner performs an upgrade and wants to add a new variable the storage slots would be overwritten. The following contract are upgradable contracts but doesn't implement storage gaps : CoreVaultManager, FAsset, AssetManagerController, CollateralPool. ## Impact Details Storage collisions can cause contract variables to be overwritten or misread, leading to corrupted state and unexpected behavior. The entire contract logic may be compromised, causing core functionalities to fail or behave unexpectedly. ## References Implement `uint[50] private __gap;` for the upgradable contracts mentioned above. ## Proof of Concept ## Proof of Concept * The owner wants to upgrade the contract and wants to introduce new variables. * Without gaps, the newly introduces variable would overwrite existing storage slots and corrupt the variables. * With storage gaps the new variables could use the gap storage slots. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/flare-fassets-or-mainnet-audit-comp/45368-sc-insight-corruptible-upgradability-pattern.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.