search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

den_sosnovskyi - `TitlesGraph::createEdge` should have access restriction to be called only by ADMIN_ROLE, but didn't #391

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 5 months ago

den_sosnovskyi

medium

TitlesGraph::createEdge should have access restriction to be called only by ADMIN_ROLE, but didn't

Summary

In TitlesGraph::createEdge anyone can create edge, but it seems edges should be created only by ADMIN_ROLE

Vulnerability Detail

Accordingly to docs, ADMIN_ROLE can "create new Edges at will (createEdges)". createEdges function has onlyRolesOrOwner(ADMIN_ROLE) modifier, that is correct. createEdge should also have this check. Now, every user can call it and create edge.

Impact

Edges can be created by anyone in a big amount

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L64

    function createEdge(Node calldata from_, Node calldata to_, bytes calldata data_)
        external
        override
        returns (Edge memory edge)
    {
        if (!_isEntity(from_, msg.sender)) revert Unauthorized();
        return _createEdge(from_, to_, data_);
    }

Tool used

Manual Review

Recommendation

Add onlyRolesOrOwner(ADMIN_ROLE) modifier to the createEdge function

ccashwell commented 5 months ago

Not valid, this is expected behavior. Any entity can create edges where the from is representing the caller, which functions as designed.