engineer - `Public` access control functions such as `grantRole`, `revokeRole` and `renounceRole` will fail as `ADMIN_ROLE` role is not it's own admin #268
Public access control functions such as grantRole, revokeRole and renounceRole will fail as ADMIN_ROLE role is not it's own admin
Summary
In contracts/vault/Vault.sol, a new role called ADMIN_ROLE is getting used for admin tasks. Unlike DEFAULT_ADMIN_ROLE the ADMIN_ROLE has no admin to manage it. Even though the contract defines specialised methods grantAdmin and revokeAdmin these provided methods from OpenZeppelin's AccessControl will fail:
grantRole
revokeRole
renounceRole
Vulnerability Detail
This happens due to the modifier present in each of these functions. For example consider the OZ's code for grantRole as described in Code Snippet section. Here this call, even though publicly available to be called will fail due to onlyRole(getRoleAdmin(role)). Here getRoleAdmin(ADMIN_ROLE) will return 0x0 and the msg.sender won't have this role assigned.
Impact
OpenZeppelin's public facing functions will fail.
Code Snippet
function grantRole(bytes32 role, address account) public virtual override onlyRole(getRoleAdmin(role)) {
_grantRole(role, account);
}
engineer
Medium
Public
access control functions such asgrantRole
,revokeRole
andrenounceRole
will fail asADMIN_ROLE
role is not it's own adminSummary
In
contracts/vault/Vault.sol
, a new role calledADMIN_ROLE
is getting used for admin tasks. UnlikeDEFAULT_ADMIN_ROLE
theADMIN_ROLE
has no admin to manage it. Even though the contract defines specialised methodsgrantAdmin
andrevokeAdmin
these provided methods from OpenZeppelin's AccessControl will fail:grantRole
revokeRole
renounceRole
Vulnerability Detail
This happens due to the
modifier
present in each of these functions. For example consider the OZ's code forgrantRole
as described inCode Snippet
section. Here this call, even though publicly available to be called will fail due toonlyRole(getRoleAdmin(role))
. HeregetRoleAdmin(ADMIN_ROLE)
will return0x0
and themsg.sender
won't have this role assigned.Impact
OpenZeppelin's public facing functions will fail.
Code Snippet
Tool used
Manual Review
Recommendation
Update Vault's constructor
Duplicate of #220