Lucene search
Code4renaCODE423N4:2022-08-FOUNDATION-FINDINGS-ISSUES-275HistoryAug 15, 2022 - 12:00 a.m.
Exposure of critical functions
2022-08-1500:00:00
Code4rena
github.com
3
Vulnerability details
Impact
AdminRole mixin exposes critical functions without any restrictions like grantAdmin() revokeAdmin()
Proof of Concept
- <https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTDropCollection.sol#L40>
- <https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/roles/AdminRole.sol#L28>
Criticial functions like grantAdmin() can be externally accessed changing the critical roles like admin.
// for eg:
function grantAdmin(address account) external {
grantRole(DEFAULT_ADMIN_ROLE, account);
}
Tools Used
- Manual Analysis
Recommended Mitigation Steps
- Converting the funcitons inside mixins to internal might help.
The text was updated successfully, but these errors were encountered:
All reactions