First Flight #16: Mafia Takedown

First Flight #16

Beginner FriendlyDeFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Current Deployment Prevents Godfather from Adding Members to Gang

4rdiii

[L-1] Current Deployment Prevents Godfather from Adding Members to Gang

Description:
Upon deployment, the godfather lacks the gangmember role, hindering their ability to use Laundrette::addToTheGang to add new members to the gang.

@> function addToTheGang(address account) external onlyRole("gangmember") isGodFather {

kernel.grantRole(Role.wrap("gangmember"), account);

}

Impact:
While the godfather can eventually acquire the gangmember role by first becoming the admin, granting themselves the role, and then reverting to the Laundrette admin, this process is a hassle. Removing the gangmember access control or assigning it to the godfather during deployment would streamline operations.

Proof of Concept:
Include this test in Laundrette.t.sol to demonstrate the issue:

function test_addToGang() public {

vm.prank(godFather);

vm.expectRevert(abi.encodeWithSelector(Policy_OnlyRole.selector, Role.wrap("gangmember")));

laundrette.addToTheGang(address(123));

////walk around fix:

vm.startPrank(godFather);

kernel.executeAction(Actions.ChangeAdmin, godFather);

kernel.grantRole(Role.wrap("gangmember"), godFather);

kernel.executeAction(Actions.ChangeAdmin, address(laundrette));

laundrette.addToTheGang(address(123));

assertEq(kernel.hasRole(address(123), Role.wrap("gangmember")), true);

}

Recommended Mitigation:
To resolve this, consider removing the onlyRole("gangmember") access control since the isGodFather check is sufficient. Alternatively, if both checks are deemed necessary, assign the gangmember role to the godfather during deployment.

Fix 1: Remove the onlyRole("gangmember") requirement.

- function addToTheGang(address account) external onlyRole("gangmember") isGodFather {

+ function addToTheGang(address account) external isGodFather {

kernel.grantRole(Role.wrap("gangmember"), account);

}

Fix 2: Assign the gangmember role to the godfather during deployment.

function deploy() public returns (Kernel, IERC20, CrimeMoney, WeaponShelf, MoneyShelf, Laundrette) {

godFather = msg.sender;

kernel.grantRole(Role.wrap("moneyshelf"), address(moneyShelf));

+ kernel.grantRole(Role.wrap("gangmember"), godFather);

}

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

GodFather is not a gang member

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.