Open code423n4 opened 2 years ago
Reigada
The contract MixinRoles.sol make use of the deprecated function _setupRole from the AccessControl contract. As per the AccessControl.sol contract documentation, this function is deprecated: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/AccessControl.sol#L183
_setupRole
AccessControl
AccessControl.sol
Using deprecated functions may eventually produce an unwanted behaviour, for example, if OpenZeppelin decides to remove or update the function.
https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L31 https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L34
Manual testing
It is recommended to use the _grantRole function instead.
_grantRole
This does not pose a direct security risk. Hence, marking as non-critical.
non-critical
Handle
Reigada
Vulnerability details
Impact
The contract MixinRoles.sol make use of the deprecated function
_setupRole
from theAccessControl
contract. As per theAccessControl.sol
contract documentation, this function is deprecated: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/AccessControl.sol#L183Using deprecated functions may eventually produce an unwanted behaviour, for example, if OpenZeppelin decides to remove or update the function.
Proof of Concept
https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L31 https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L34
Tools Used
Manual testing
Recommended Mitigation Steps
It is recommended to use the
_grantRole
function instead.