Closed c4-bot-8 closed 7 months ago
bytes032 marked the issue as insufficient quality report
The Warden details how the role structure of the Opus system can be fine-tuned which cannot constitute an HM vulnerability and is better suited in an Analysis report.
alex-ppg marked the issue as unsatisfactory: Invalid
alex-ppg marked the issue as primary issue
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/roles.cairo#L195-L197 https://github.com/code-423n4/2024-01-opus/blob/4720e9481a4fb20f4ab4140f9cc391a23ede3817/src/core/roles.cairo#L185-L187
Vulnerability details
Impact
Least Privilege Principles The roles mostly follow principles of least privilege by granting restricted subsets of permissions: src/core/roles.cairo#L195-L197
src/core/roles.cairo#L185-L187
This limits blast radius if a contract with that role is compromised.
Exceptions
A few exceptions granting unnecessary privileges:
sentinel_roles.purger()
hasEXIT
permission to withdraw assets from Gates - unnecessary capabilityshrine_roles.all_roles()
combines total privileges only needed for testingNo restriction on admin roles updating permissions
Tools Used
Vscode
Recommended Mitigation Steps
🔥 Remove
EXIT
for Purger in Sentinel🔥 Restrict
all_roles()
to test environments🔒 Add timelock for admin role changes
Assessed type
Access Control