Closed sherlock-admin4 closed 1 week ago
Invalid, AppStorage
is a library not a contract where those functions are not supposed to be called directly. This functions are only ultimately triggered within ConfigFacet.sol
which has relevant access control in place
engineer
Medium
Lack of Access Control in
AppStorage
functionsSummary
The functions within the
AppStorage
library lack access control mechanisms. This means any contract or address that can call these functions is able to modify the storage variables, leading to potential unauthorized access and manipulation of critical data.Vulnerability Detail
This section of
AppStorage
define multiple CRUD functions to access storage. All these functions are markedexternal
and do not perform any access control mechanism.Code Snippet
Consider these
Impact
Without access control, malicious actors can exploit this to change important configuration values, leading to potential financial losses, disruption of services, and overall instability in the application that relies on this storage pattern.
Tool used
Manual Review
Recommendation
Implement access control to restrict who can call these state-modifying functions. This can be achieved by integrating with existing access control systems or defining role-based access controls within the library.