search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

0xboriskataa - Not all `EDITION_MANAGER_ROLE` functions can be called #172

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

0xboriskataa

medium

Not all EDITION_MANAGER_ROLE functions can be called

Summary

The TitlesCore.sol contract is set as the controller of a newly deployed Edition.sol contract during the call of the initialize() function. This gives the TitlesCore contract the EDITION_MANAGER_ROLE in the edition contract. However because it does not call all of the functions whose access is restricted to this role some of the functions cannot be used at all.

Vulnerability Detail

In TitlesCore.sol: createEdition() we make a clone of the edition implementation and initialize it with initialize(). In the Edition.sol: initialize() function a controller can be specified that will receive the EDITION_MANAGER_ROLE:

function initialize(,,, //removed for simplicity
        address controller_,) external initializer {
//...
        _grantRoles(controller_, EDITION_MANAGER_ROLE);
        _grantRoles(owner_, EDITION_PUBLISHER_ROLE);

When we call initialize() in TitlesCore.sol: createEdition() the TitlesCore contract itself is set as the controller:

edition.initialize(feeManager, graph, payload.work.creator.target, address(this), payload.metadata);

This means that TitlesCore.sol receives the EDITION_MANAGER_ROLE and is the only address that has it. However the TitlesCore contract does not call grantRoles(), revokeRoles() from Edition.sol which are functions that can be called only by addresses that have this role. This means that these functions cannot be used at all.

Impact

The functions grantRoles() and revokeRoles() from Edition.sol cannot be used at all.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L82-L84 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L89 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L427 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L437

Tool used

Manual Review

Recommendation

Call these functions from the TitlesCore contract or give the EDITION_MANAGER_ROLE to the owner for example.

ccashwell commented 4 months ago

This is expected, the EDITION_MANAGER_ROLE holder (TitlesCore) will be upgraded at a later point to leverage this functionality for a planned feature. In any case, it's not a vulnerability.