Not all EDITION_MANAGER_ROLE functions can be called
Summary
The TitlesCore.sol contract is set as the controller of a newly deployed Edition.sol contract during the call of the initialize() function. This gives the TitlesCore contract the EDITION_MANAGER_ROLE in the edition contract. However because it does not call all of the functions whose access is restricted to this role some of the functions cannot be used at all.
Vulnerability Detail
In TitlesCore.sol: createEdition() we make a clone of the edition implementation and initialize it with initialize(). In the Edition.sol: initialize() function a controller can be specified that will receive the EDITION_MANAGER_ROLE:
function initialize(,,, //removed for simplicity
address controller_,) external initializer {
//...
_grantRoles(controller_, EDITION_MANAGER_ROLE);
_grantRoles(owner_, EDITION_PUBLISHER_ROLE);
When we call initialize() in TitlesCore.sol: createEdition() the TitlesCore contract itself is set as the controller:
This means that TitlesCore.sol receives the EDITION_MANAGER_ROLE and is the only address that has it. However the TitlesCore contract does not call grantRoles(), revokeRoles() from Edition.sol which are functions that can be called only by addresses that have this role. This means that these functions cannot be used at all.
Impact
The functions grantRoles() and revokeRoles() from Edition.sol cannot be used at all.
This is expected, the EDITION_MANAGER_ROLE holder (TitlesCore) will be upgraded at a later point to leverage this functionality for a planned feature. In any case, it's not a vulnerability.
0xboriskataa
medium
Not all
EDITION_MANAGER_ROLE
functions can be calledSummary
The
TitlesCore.sol
contract is set as thecontroller
of a newly deployedEdition.sol
contract during the call of theinitialize()
function. This gives theTitlesCore
contract theEDITION_MANAGER_ROLE
in the edition contract. However because it does not call all of the functions whose access is restricted to this role some of the functions cannot be used at all.Vulnerability Detail
In
TitlesCore.sol: createEdition()
we make a clone of the edition implementation and initialize it withinitialize()
. In theEdition.sol: initialize()
function a controller can be specified that will receive theEDITION_MANAGER_ROLE
:When we call
initialize()
inTitlesCore.sol: createEdition()
the TitlesCore contract itself is set as the controller:This means that
TitlesCore.sol
receives theEDITION_MANAGER_ROLE
and is the only address that has it. However theTitlesCore
contract does not callgrantRoles()
,revokeRoles()
fromEdition.sol
which are functions that can be called only by addresses that have this role. This means that these functions cannot be used at all.Impact
The functions
grantRoles()
andrevokeRoles()
fromEdition.sol
cannot be used at all.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/TitlesCore.sol#L82-L84 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L89 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L427 https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L437
Tool used
Manual Review
Recommendation
Call these functions from the
TitlesCore
contract or give theEDITION_MANAGER_ROLE
to the owner for example.