Open c4-submissions opened 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as high quality report
manoj9april marked the issue as disagree with severity
Thank you for submitting the review. We believe this issue is not of high severity given that we own the addresses that manages the access control of RSETH. It falls into a QA category of severity.
manoj9april (sponsor) confirmed
Agree that this constitutes QA.
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/RSETH.sol#L19 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/RSETH.sol#L16 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/RSETH.sol#L73
Vulnerability details
Impact
A critical issue in the RSETH contract arises from a conflict between two access control systems operating simultaneously, leading to confusing and possibly inconsistent privileges. The RSETH contract inherits from AccessControlUpgradeable and additionally holds a reference to an LRTConfig, which itself inherits from AccessControlUpgradeable. This dual-system approach (inheritance and composition) results in discrepancies in permissions across various functions.
The inherited access control in RSETH guards key functions like mint, burnFrom, unpause, and updateLRTConfig. Conversely, the pause function relies on the access control system of the LRTConfig. The core problem lies in these two systems not aligning on who holds the administrator role.
In other words, the two systems can assign roles to different addresses. For example, the inherited system grants Alice the DEFAULT_ADMIN_ROLE, while the composed system (from LRTConfig) assigns the DEFAULT_ADMIN_ROLE only to Bob. Depending on which system you asked, you will get different answers to "Is Alice an admin?".
Proof of Concept
Consider the following scenario:
There are two problematic consequences of this action:
Here are two test cases to trigger these scenarios respectively.
Use
forge test --match-test test_access_control_violation
to reproduce. The first test fails because it's not reverting as expected in the last line. The second test fails because it is unexpectedly reverting in the last line.Recommended Mitigation Steps
Eliminate the dual access control system in the RSETH contract. Ensure a consistent access control mechanism is used for all administrative functions to avoid conflicting permissions.
Tools used
Foundry
Assessed type
Access Control