Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 143/198
Findings: 1
Award: $18.87
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
18.8655 USDC - $18.87
https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/AccessProtected.sol#L11 https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/AccessProtected.sol#L25
The owner won't be able to pass the AccessProtected mechanism. Only admins can.
AccessProtected imports OZ's Ownable:File: AccessProtected.sol 5: import "@openzeppelin/contracts/access/Ownable.sol";
admin and owner roles are different and should both be checked:File: AccessProtected.sol 8: @title Access Limiter to multiple owner-specified accounts. 9: @dev Exposes the onlyAdmin modifier, which will revert (ADMIN_ACCESS_REQUIRED) if the caller is not the owner nor the admin.
21: /** 22: * Throws if called by any account that isn't an admin or an owner. 23: */ 24: modifier onlyAdmin() { 25: require(_admins[_msgSender()], "ADMIN_ACCESS_REQUIRED"); 26: _; 27: }
owner role is never checked. It's not even inherited by AccessProtected while the library is imported:File: AccessProtected.sol 11: abstract contract AccessProtected is Context {
Consider inheriting Ownable and checking the owner:
File: AccessProtected.sol - 11: abstract contract AccessProtected is Context { + 11: abstract contract AccessProtected is Context, Ownable { ... 24: modifier onlyAdmin() { - 25: require(_admins[_msgSender()], "ADMIN_ACCESS_REQUIRED"); + 25: require(_admins[_msgSender()] || owner() == _msgSender(), "ADMIN_ACCESS_REQUIRED"); 26: _; 27: }
Alternatively, if the owner here isn't relevant, consider adding an array of _owners which would be checked the same way as the array of _admins and remove the unused library import.
Alternatively, if admins and owners are the same role, just remove the confusing comments
#0 - 0xean
2022-09-24T21:00:28Z
downgrading to QA as this seems very much like Low risk (e.g. assets are not at risk: state handling, function incorrect as to spec, issues with comments).