search

code-423n4 / 2021-11-unlock-findings

0 stars 0 forks source link

USE OF DEPRECATED _SETUPROLE FUNCTION #14

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

Reigada

Vulnerability details

Impact

The contract MixinRoles.sol make use of the deprecated function _setupRole from the AccessControl contract. As per the AccessControl.sol contract documentation, this function is deprecated: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/AccessControl.sol#L183

Using deprecated functions may eventually produce an unwanted behaviour, for example, if OpenZeppelin decides to remove or update the function.

Proof of Concept

https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L31 https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinRoles.sol#L34

Tools Used

Manual testing

Recommended Mitigation Steps

It is recommended to use the _grantRole function instead.

0xleastwood commented 2 years ago

This does not pose a direct security risk. Hence, marking as non-critical.