Unreachable Administrative Functions Due to Missing Role Assignments.
Summary
In the BaseGauge contract, the roles EMERGENCY_ADMIN and DISTRIBUTION_ADMIN (assuming the second mention was a mistake) are never assigned due to a missing _grantRole call in the contract. As a result, any function requiring these roles, such as setDistributionCap and setEmergencyPaused, becomes unreachable.
Vulnerability Details
The contract uses the OpenZeppelin AccessControl pattern, where roles must be explicitly assigned using _grantRole. However, in BaseGauge, these roles are never initialized.
In OpenZeppelin’s AccessControl, a role can only be granted by an account that holds the admin role for that role. The function responsible for granting roles is:
Here’s the issue:
EMERGENCY_ADMINandDISTRIBUTION_ADMINare never set using_grantRole.grantRolerequires an admin role for these roles, which is never assigned.Since the admin role itself is not assigned, no one can ever grant these roles in the future.
As a result, functions that require these roles, such as:
setDistributionCap()setEmergencyPaused()
cannot be executed, making them permanently inaccessible.
Impact
Critical: Functions meant for emergency response and distribution control are permanently locked.
Governance/Admin Actions Cannot Be Performed: The project will have no way to pause distributions or handle emergencies.
Tools Used
Manual Code Review
Recommendations
Explicitly Assign Admins for Each Role:
Ensure
getRoleAdmin(EMERGENCY_ADMIN)returns a valid admin.If using a governance model, assign
DEFAULT_ADMIN_ROLEto a multi-sig or DAO contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.