search

sherlock-audit / 2023-12-ubiquity-judging

2 stars 2 forks source link

bareli - Access Control #177

Closed sherlock-admin closed 10 months ago

sherlock-admin commented 10 months ago

bareli

medium

Access Control

Summary

Access Control: The setIncentiveContract function allows an admin to set an incentive contract for any account. It is important to ensure that the admin role is protected and that the process for setting incentive contracts is transparent and secure.

Vulnerability Detail

function setIncentiveContract(address account, address incentive) external { require( accessControl.hasRole(GOVERNANCE_TOKEN_MANAGER_ROLE, _msgSender()), "Dollar: must have admin role" );

    incentiveContract[account] = incentive;
    emit IncentiveContractUpdate(account, incentive);
}

Impact

Any can incentive contract for any account.

Code Snippet

https://github.com/sherlock-audit/2023-12-ubiquity/blob/main/ubiquity-dollar/packages/contracts/src/dollar/core/UbiquityDollarToken.sol#L68

Tool used

Manual Review

Recommendation

There should be some input validation.

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Input validation

sherlock-admin2 commented 10 months ago

1 comment(s) were left on this issue during the judging contest.

auditsea commented:

Input validation

nevillehuang commented 10 months ago

Invalid, grating of roles is an admin mechanism, this would constitue admin input error not valid based on sherlock rules see point 5.