♻️Tutorial 34: Forgetting to Update the Global State in Smart Contracts

Book an audit with Zokyo

In Solidity, smart contracts often manipulate data stored on the blockchain (known as the global state). For efficiency reasons, developers sometimes work on a copy of the data (typically stored in memory) rather than directly accessing or modifying the data in the storage (the persistent state on the blockchain). While this can optimize performance, forgetting to update the global state after making changes to the copied data can introduce serious logic errors that are hard to detect.

This section explains how forgetting to update the global state can lead to subtle and critical vulnerabilities, why this issue occurs, and how to detect and mitigate such mistakes in smart contract development. Why This Issue Occurs

In Solidity, data can be stored either in storage (global state on the blockchain) or memory (temporary data that only exists during the execution of a function). The keyword storage is used when a variable is expected to persist across function calls, while memory is used when data is only needed temporarily during the execution of a function.

For optimization, developers often work with a local copy of data (stored in memory) to reduce gas costs, as accessing and modifying the global state (stored in storage) is more expensive. However, the issue arises when developers forget to transfer the changes made to the local copy back to the global state.

Example of the Mistake:

struct UserInfo {
    uint256 balance;
    uint256 rewards;
}

mapping(address => UserInfo) public userInfo;

function updateUserBalance(address user, uint256 newBalance) external {
    // The mistake: We load the userInfo into memory, but don't update the global state
    UserInfo memory userLocal = userInfo[user];  // This copies data into memory
    
    userLocal.balance = newBalance;  // This only updates the local copy in memory
    
    // Forgot to write the updated data back to `userInfo[user]` in storage
}

In this case, the balance is updated only in the memory copy (userLocal), but the storage version (userInfo[user]) is never updated. As a result, the changes are lost once the function execution ends, and the user’s balance in the global state remains unchanged.

---

Impact of Forgetting to Update the Global State

Forgetting to update the global state can lead to several critical issues:

1. Data Inconsistencies:

   • When data in memory is modified but not written back to storage, the blockchain's global state remains unchanged. This inconsistency can cause incorrect values to be stored in the contract, affecting users or critical contract operations.

2. Logic Errors:

   • Many operations in DeFi (like token transfers, staking, and reward calculations) rely on accurate and up-to-date state variables. If the global state is not updated, these operations will be executed with incorrect or stale data, potentially leading to financial losses for users or incorrect reward distributions.

3. Subtle Bugs:

   • Since this issue often results from using the wrong keyword (memory instead of storage), it can be difficult to spot in large codebases. The visual similarity between memory and storage can make these bugs elusive and hard to catch through simple code reviews.