`payFertilizer` will fail as conflict of roles when called from `Fertilizer:_update`
Summary
FertilizerFacet:payFertilizer is called from Fertilizer:_update function. The _update function is called internally within the Fertilizer contract, specifically within the _beforeTokenTransfer function, which is triggered when tokens are transferred between addresses. This _beforeTokenTransfer function is executed in response to an external action, such as a user-initiated transfer.
Inside the _update function, there's a call to IBS(owner()).payFertilizer(account, amount). Here, it assumes that the caller of the payFertilizer function will be the owner of the IBS contract (owner()). However, since _update is called internally within the Fertilizer contract, the msg.sender at that point will be the Fertilizer contract itself, not the owner.
As a result, when payFertilizer is invoked from within _update, it will fail the require statement, as msg.sender will not match C.fertilizerAddress().
Vulnerability Details
See the following code:
Fertlizer.sol
FertlizerFacet.sol
Impact
The impact of this issue is that the Fertilizer contract won't be able to successfully execute the payment to the account, leading to potential disruptions in the expected behavior of the contract and preventing users from claiming their fertilizer rewards.
Tools Used
Manual Review
Recommendations
To resolve this issue, you should ensure that the correct caller address is provided when invoking the payFertilizer function. This can be achieved by either explicitly passing the desired caller address or ensuring that the _update function is called in a context where the desired msg.sender is set correctly to match C.fertilizerAddress().
Lead Judging Commences
Informational/Invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.