Role provider permission escalation

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-08-wildcat/blob/fe746cc0fbedc4447a981a50e6ba4c95f98b9fe1/src/access/FixedTermLoanHooks.sol#L404-L413

Vulnerability details

Proof of Concept

The grantRole function says that:

   *      If the account has an existing credential, it can only be updated if:
   *      - the previous credential's provider is no longer supported, OR
   *      - the caller is the previous role provider, OR
   *      - the new expiry is later than the current expiry

However this is not always true. Consider the following scenario:

• 1st call would set the expiry(roleGrantedTimestamp) just a bit later than the current one. As a consequence there will be a new role provider.
• Because they are the previous role provider, they can make a 2nd call that will reduce the expiry as much as possible.

This means that a role providers should not be able to reduce a credential set by another role provider. As a consequence they will be able to reduce the credentials when they should not be able to.

Recommended Mitigation Steps

Refactor the function so that's not possible

Assessed type

Other

[c4-judge]

3docSec marked the issue as satisfactory