Deployer script does not grant "godFather" the "gangmember" role in the kernel.
Summary
The deploy() function in Deployer.s.sol is used to deploy the protocol. However, in the process of deploying the protocol, deployer forgets to grant "godFather" the role of "gangmember". In doing so, the "godFather" will not be able to run the addToTheGang() function or the takeGuns() function in the policy contract "Laundrette". According to the ReadMe, the "godFather" should be the Owner, and have all the rights.
Vulnerability Details
Deployer.s.sol forgets to grant the "gangmember" role to "godFather".
function test_godFatherGangMember() public {
//1) Check that godFather does not have the gangmember role after deployer deploys the protocol
console.log("Does godFather have the gangmember role? : ", kernel.hasRole(godFather, Role.wrap("gangmember")));
assertEq(false, kernel.hasRole(godFather, Role.wrap("gangmember")));
//2) Check that godFather cannot call core protocol functions such as laundrette.addToTheGang()
address Alice = makeAddr("Alice");
vm.expectRevert();
vm.prank(godFather);
laundrette.addToTheGang(Alice);
}
Impact
The "godFather" cannot call certain core protocol functions in the policy that he is supposed to be able to call. Key examples here would be the addToTheGang() function or the takeGuns() function in the policy.
Tools Used
Foundry
Recommendations
In the Deployer script's deploy() function, just grant the role of "gangmember" to the "godFather" before changing the admin of the kernel to the policy.
kernel.grantRole(Role.wrap("gangmember"), godFather);
Lead Judging Commences
GodFather is not a gang member
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.