Open hats-bug-reporter[bot] opened 4 months ago
This is an issue because it breaks the trust assumptions of the authorizer module. -> where does it break the trust assumption of the Authorizer? This should be invalid, because we assume that the roles are trusted and uncorrupted in the first place Or am I misreading something here?
thanks @FHieser , the issue is invalid
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0x94ec3c2f8f0e3eaafd4880abb7394d6d51bb135f038f2e5695eb6b7e651162b3 Severity: medium
Description:
Impact
Unauthorized execution of role restricted functions can lead to numerous issues
Description
The
Authorizer
module is based on openzeppelin'sAccessControl
contract (AccessControlEnumerableUpgradeable
inheritsAccessControlUpgradeable
). The problem is that any role owner can grant the same role to infinite addresses and also revoke their own address via directly callinggrantRole()
andrevokeRole()
. This is an issue because it breaks the trust assumptions of theauthorizer
module.lib/openzeppelin-contracts-upgradeable/contracts/access/AccessControlUpgradeable.sol
I will demonstrate a few problematic examples:
PAYMENT_PUSHER_ROLE
starts to push malicious payments, so the owner will try to renounce their role, however he already duplicated the role1000
times. To bypass the revokes, he will front-run revokes with moregrantRole()
calls.BOUNTY_ISSUER_ROLE
s issuing bounties, however to stay ahead of the competition one of them decides to revoke every other issuer via callingrevokeRole()
directly.Orchestrator
viaAUT_ROLES_v1
, however one of them decides to revoke each one, including himself, in the process permanently denying every owner restricted function.Note that to give and revoke permissions of specific module roles, the malicious actors should generate the roles via
generateRoleId(module, role)
Recommendation
Consider to override and revert
grantRole()
andrevokeRole()
functions inAUT_Roles_v1.sol
: