Risk of losing admin access if updateAdmin set with same current admin address

[code423n4]

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderConfig.sol#L176-L183

Vulnerability details

N.B : This bug is different that the other one titled "The admin address used in initialize function, can behave maliciously". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliate of the other one.

Current admin will lose DEFAULT_ADMIN_ROLE role if updateAdmin issued with same address.

Impact

The is a possibility of loss of protocol admin access to this critical StaderConfig.sol contract, if updateAdmin() is set with same current admin address by mistake.

Proof of Concept

Contract : StaderConfig.sol Function : function updateAdmin(address _admin)

Using Brownie python automation framework commands in below examples.

• Step#1 After initialization, admin-A is the admin which has the DEFAULT_ADMIN_ROLE

• Step#2 update new Admin StaderConfig.updateAdmin(admin-B, {'from':admin-A}) The value of StaderConfig.getAdmin() is admin-B

• Step#3 admin-B updates admin to itself again StaderConfig.updateAdmin(admin-B, {'from':admin-B}) The value of StaderConfig.getAdmin() is admin-B, but the DEFAULT_ADMIN_ROLE is revoked due to _revokeRole(DEFAULT_ADMIN_ROLE, oldAdmin); Now the protocol admin control is lost for StaderConfig contract

Recommended Mitigation Steps

Ref : https://github.com/code-423n4/2023-06-stader/blob/7566b5a35f32ebd55d3578b8bd05c038feb7d9cc/contracts/StaderConfig.sol#L177 In the updateAdmin() function, add a check for oldAdmin != _admin , like below

    address oldAdmin = accountsMap[ADMIN];
+   require(oldAdmin != _admin, "Already set to admin");

## Assessed type

Access Control

[Picodes]

"so DO NOT mark it as dupliate of the other one." -> I don't understand, is this an order (in which case it is a bit inappropriate), or a discussion between the warden and someone?

[c4-judge]

Picodes changed the severity to 2 (Med Risk)

[c4-judge]

Picodes marked the issue as primary issue

[c4-sponsor]

manoj9april marked the issue as sponsor confirmed

[manoj9april]

Sure, we will fix this.

[c4-judge]

Picodes marked issue #252 as primary and marked this issue as a duplicate of 252

[c4-judge]

Picodes marked the issue as selected for report

[rvierdiiev]

Isn't this same as just transfer role to the address 0 or any other address? Why protocol will need to change role to same address? Isn't this informative issue?

[Co0nan]

I believe this fall under the "Admin Privilege" category as such an issue should be marked as QA based on C4 docs and how similar issues got judged.

[Picodes]

@rvierdiyev @Co0nan I respectfully disagree:

• this is not an occurrence of "Admin Privilege" which are issues where a privileged role uses his position to grief the protocol. Here there is clearly a slight bug in the code
• we could argue that transferring the role to the same address is very unlikely but it is not an error in itself. The function clearly does not behave as intended in this case
• if you combine this with the fact that in initialize there is no call to setAccount(ADMIN, _admin); (see https://github.com/code-423n4/2022-06-stader-findings/issues/133) then it becomes actually likely that the admin calls this function for himself

[Picodes]

@Co0nan for information "Admin Privilege" aren't always QA, it depends on the context and is up to the judge. See https://github.com/code-423n4/org/issues/54 and https://github.com/code-423n4/org/issues/59 for the ongoing discussion about this.

[Co0nan]

Here there is clearly a slight bug in the code.

@Picodes personally I got my reports downgraded to QA even though the bug was clearly in the code itself but because it only occurs through an action taken by a privileged user it's downgraded. Here, this bug occurs from Admin as he passes an address twice. I have to stand with @rvierdiyev this is likely to missing Zero address Check on onlyOwner functions.

However, It's up to you as the Judge and I respect your final conclusion.

[sanjay-staderlabs]

This is fixed in the code