search

code-423n4 / 2024-04-ai-arena-mitigation-findings

0 stars 0 forks source link

M-08 MitigationConfirmed #24

Closed c4-bot-9 closed 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

Vulnerability details

C4 issue

M-08: Burner role can not be revoked

Comments

Burner roles in the GameItems contract could be set but not revoked by the contract admins.

Mitigation

PR #18 The function setAllowedBurningAddresses:

/// @notice Sets the allowed burning addresses.
/// @dev Only the admins are authorized to call this function.
/// @param newBurningAddress The address to allow for burning.
function setAllowedBurningAddresses(address newBurningAddress) public {
    require(isAdmin[msg.sender]);
    allowedBurningAddresses[newBurningAddress] = true;
}

has been replace with the function adjustBurningAccess, which accepts an additional bool access parameter that determines whether the burner role will be set or revoked for the given address:

/// @notice Adjusts the allowed burning addresses.
/// @dev Only the admins are authorized to call this function.
/// @param burningAddress The address to adjust for burning.
function adjustBurningAccess(address burningAddress, bool access) public {
    require(isAdmin[msg.sender]);
    allowedBurningAddresses[burningAddress] = access;
}

Suggestion

Add the new access parameter to the NatSpec's @param variables.

Conclusion

LGTM

c4-judge commented 5 months ago

jhsagd76 marked the issue as nullified