/// @notice Sets the allowed burning addresses.
/// @dev Only the admins are authorized to call this function.
/// @param newBurningAddress The address to allow for burning.
function setAllowedBurningAddresses(address newBurningAddress) public {
require(isAdmin[msg.sender]);
allowedBurningAddresses[newBurningAddress] = true;
}
has been replace with the function adjustBurningAccess, which accepts an additional bool access parameter that determines whether the burner role will be set or revoked for the given address:
/// @notice Adjusts the allowed burning addresses.
/// @dev Only the admins are authorized to call this function.
/// @param burningAddress The address to adjust for burning.
function adjustBurningAccess(address burningAddress, bool access) public {
require(isAdmin[msg.sender]);
allowedBurningAddresses[burningAddress] = access;
}
Suggestion
Add the new access parameter to the NatSpec's @param variables.
Lines of code
Vulnerability details
C4 issue
M-08: Burner role can not be revoked
Comments
Burner roles in the GameItems contract could be set but not revoked by the contract admins.
Mitigation
PR #18 The function
setAllowedBurningAddresses
:has been replace with the function
adjustBurningAccess
, which accepts an additionalbool access
parameter that determines whether the burner role will be set or revoked for the given address:Suggestion
Add the new
access
parameter to the NatSpec's @param variables.Conclusion
LGTM