Closed sherlock-admin2 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { what watson recommend here is same as whats actually there; grantRole is same as the setRole}
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { what watson recommend here is same as whats actually there; grantRole is same as the setRole}
But it isn't added in the constructor? It is missing.
Invalid, admin can simply grant the necessary roles via grantRole()
as seen here
eeshenggoh
medium
Telcoin uses RBAC method for access control and did not add roles to admin roles
Summary
The protocol uses Role-Based Access Control in contract
StakingRewardsManager
andCouncilMember.sol
. The implementation does not follow OpenZeppelin's documentation and leads to problems.Vulnerability Detail
In
CouncilMember.sol::initialize()
, theDEFAULT_ADMIN_ROLE
does not have the admin roles set up, which means the admin roles in initialize:In
StakingRewardsManager.sol::initialize()
, theDEFAULT_ADMIN_ROLE
does not have the admin roles set up in initialize:Impact
Admins are not able to perform tasks as intended, function calls will revert causing a denial of service.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L64
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/telx/core/StakingRewardsManager.sol#L80
Tool used
Manual Review
Recommendation
You have to put
_setRoleAdmin
is a internal function, thus input them in initialize function. In CouncilMember.sol:In StakingRewardsManager.sol: