TitlesGraph::createEdge should have access restriction to be called only by ADMIN_ROLE, but didn't
Summary
In TitlesGraph::createEdge anyone can create edge, but it seems edges should be created only by ADMIN_ROLE
Vulnerability Detail
Accordingly to docs, ADMIN_ROLE can "create new Edges at will (createEdges)". createEdges function has onlyRolesOrOwner(ADMIN_ROLE) modifier, that is correct. createEdge should also have this check. Now, every user can call it and create edge.
den_sosnovskyi
medium
TitlesGraph::createEdge
should have access restriction to be called only by ADMIN_ROLE, but didn'tSummary
In
TitlesGraph::createEdge
anyone can create edge, but it seems edges should be created only by ADMIN_ROLEVulnerability Detail
Accordingly to docs, ADMIN_ROLE can "create new Edges at will (createEdges)".
createEdges
function hasonlyRolesOrOwner(ADMIN_ROLE)
modifier, that is correct.createEdge
should also have this check. Now, every user can call it and create edge.Impact
Edges can be created by anyone in a big amount
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L64
Tool used
Manual Review
Recommendation
Add
onlyRolesOrOwner(ADMIN_ROLE)
modifier to thecreateEdge
function