Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

CurrencyManager.sol - Vulnerability Assessment

samuelaondo10

Summary (CurrencyManager.sol)

The CurrencyManager contract has a vulnerability in the constructor where the grantRole function calls are missing the onlyRole(ADMIN_ROLE) modifier. This allows any address to grant the ADMIN_ROLE to other addresses, effectively bypassing the intended access control mechanism.

Vulnerability Details

The vulnerability is present in the constructor of the CurrencyManager contract:

constructor() {
*grantRole(DEFAULT*ADMIN_ROLE, msg.sender);
*grantRole(ADMIN*ROLE, msg.sender);
}

The grantRole function calls are not protected by the onlyRole(ADMIN_ROLE) modifier, which means any address can call these functions and grant the ADMIN_ROLE to other addresses.

Impact

This vulnerability can lead to a privilege escalation attack, where a malicious actor can grant themselves the ADMIN_ROLE and then perform unauthorized actions, such as adding or removing currencies from the whitelist.

Tools Used

The vulnerability was identified through a manual code review of the CurrencyManager contract.

Recommendations

To fix the vulnerability, the grantRole function calls in the constructor should be wrapped with the onlyRole(ADMIN_ROLE) modifier, like this:

constructor() {
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
_grantRole(ADMIN_ROLE, msg.sender);
}

This will ensure that only the ADMIN_ROLE accounts can grant the ADMIN_ROLE to other addresses, maintaining the intended access control mechanism.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.