Open c4-bot-2 opened 7 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #20
HickupHH3 marked the issue as satisfactory
HickupHH3 marked the issue as selected for report
selecting as best report because it also mentions that _grantRole
should be used instead of _setupRole
Dear Judge: This issue have been covered by 4naly3er: https://github.com/code-423n4/2024-02-ai-arena/blob/main/4naly3er-report.md#l-1-do-not-use-deprecated-library-functions Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Also provide references to the same issue in 2023-08-dopex for comparison. https://github.com/code-423n4/2023-08-dopex-findings/issues/871
Thanks for your reply!!
QA (Centralization Risk). For this to be an actual issue, you would need to compromise either the admin or the minter / staker / spender contracts.
Hey @iceBearRobot and @Haxatron,
The issue isn't about deprecated functions or compromising roles.
It's about the devs not initializing the DEFAULT_ADMIN_ROLE correctly, which makes all roles irrevocable. This doesn't pose a risk of centralization. Take another look at the issue please.
For that to be an actual issue, the admin must either be compromised, accidentally assign the roles to wrong address or compromise the contracts assigned this role.
@Haxatron Haven't you ever encountered protocols where an owner assigns a role to an address(Not by mistake), and then revoked it later on when the role is no longer needed?
This falls under:
Assets not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
The address will be immutable contracts, if they are EOAs then maybe it will be a different story.
I will defer to the judge for this one.
Given some of the reports mention being unable to revoke in the case of malicious actors or leaked private keys, some added context from the sponsor during the contest:
This meaning both the above are impossible barring significant error on the part of the protocol team (assigning roles to a wrong address (an EOA)). Whether or not being unable to revoke previously trusted contracts warrants a med is up to the judge's decision, but thought the added context would be useful.
Yes, I'm excluding admin error in this. Simply about functionality: not being able to revoke roles might be problematic for deprecation / migration purposes
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/cd1a0e6d1b40168657d1aaee8223dc050e15f8cc/src/Neuron.sol#L93-L96 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/ecd2ca2cd7cac116f7a37d0e474bbb3d7d5e1c4d/contracts/access/AccessControl.sol#L40-L47 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/ecd2ca2cd7cac116f7a37d0e474bbb3d7d5e1c4d/contracts/access/AccessControl.sol#L194-L207
Vulnerability details
Impact
From Neuron::addMinter and AccessControl::setupRole
Roles of minter, staker, spender can never be revoked due to missing default admin implementation. The
DEFAULT_ADMIN_ROLE
= 0x00 which is default role which is admin to all the roles, and the real contract owner should own this role, since it is not granted, the owner cannot govern the roles.Another wrong implemnatation is using
_setupRole
to grant roles intead of using_grantRole
, because of the warnings in the library contract.From Openzeppelin::AccessControl and AccessControl::setupRole
Proof of Concept
-Now paste the below POC into test/Neuron.t.sol and run
forge t --mt test_POC_Revoke -vvvv
Tools Used
Manual + Foundry testing
Recommended Mitigation Steps
Modify the constructor on Neuron.sol to grant default admin role to owner.
Assessed type
Access Control