Closed sherlock-admin2 closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Input validation
1 comment(s) were left on this issue during the judging contest.
auditsea commented:
Input validation
Invalid, grating of roles is an admin mechanism, this would constitue admin input error not valid based on sherlock rules see point 5.
bareli
medium
Input Validation:
Summary
Input Validation: The contract assumes that role identifiers (bytes32 role) are valid. There should be checks to ensure that roles are properly initialized and managed.
Vulnerability Detail
function _grantRole(bytes32 role, address account) internal virtual { LibAccessControl.accessControlStorage().roles[role].members.add( account ); emit LibAccessControl.RoleGranted(role, account, msg.sender); } function _revokeRole(bytes32 role, address account) internal virtual { LibAccessControl.accessControlStorage().roles[role].members.remove( account ); emit LibAccessControl.RoleRevoked(role, account, msg.sender); }
Impact
any role can be approved or revoked.
Code Snippet
https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/access/AccessControlInternal.sol#L91
Tool used
Manual Review
Recommendation
use a require statement so that role is not zero.