engineer - Lack of Access Control in `AppStorage` functions

[sherlock-admin4]

engineer

Medium

Lack of Access Control in AppStorage functions

Summary

The functions within the AppStorage library lack access control mechanisms. This means any contract or address that can call these functions is able to modify the storage variables, leading to potential unauthorized access and manipulation of critical data.

Vulnerability Detail

This section of AppStorage define multiple CRUD functions to access storage. All these functions are marked external and do not perform any access control mechanism.

Code Snippet

Consider these

    function setUintValue(Props storage self, bytes32 key, uint256 value) external {
        self.uintValues[key] = value;
    }

    function deleteUintValue(Props storage self, bytes32 key) external {
        delete self.uintValues[key];
    }

Impact

Without access control, malicious actors can exploit this to change important configuration values, leading to potential financial losses, disruption of services, and overall instability in the application that relies on this storage pattern.

Tool used

Manual Review

Recommendation

Implement access control to restrict who can call these state-modifying functions. This can be achieved by integrating with existing access control systems or defining role-based access controls within the library.

[nevillehuang]

Invalid, AppStorage is a library not a contract where those functions are not supposed to be called directly. This functions are only ultimately triggered within ConfigFacet.sol which has relevant access control in place