Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

calc1f4r - Role Revocation in initialize Function in solidityAmo.sol #122

Open
sherlock-admin2 opened this issue Oct 29, 2024 · 0 comments
Open

calc1f4r - Role Revocation in initialize Function in solidityAmo.sol #122

sherlock-admin2 opened this issue Oct 29, 2024 · 0 comments

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Oct 29, 2024
edited
Loading

calc1f4r

Medium

Role Revocation in initialize Function in solidityAmo.sol

Summary

The current implementation of the initialize function revokes the SETTER_ROLE from the msg.sender immediately after the initialization process. This is problematic because the SETTER_ROLE is required for several functions, including setWhitelistedTokens, which allows the management of whitelisted tokens. By revoking this role, the contract will not allow any further modifications to the whitelisted tokens, effectively locking the contract's ability to manage its reward tokens after initialization.

https://github.com/sherlock-audit/2024-10-axion/blob/main/liquidity-amo/contracts/SolidlyV2AMO.sol#L99C1-L100C1

Root Cause

The immediate revocation of the SETTER_ROLE in the initialize function of the contract poses significant risks to its functionality and flexibility. This design choice limits the ability to modify critical parameters and manage whitelisted tokens after initialization, potentially leading to operational challenges and security vulnerabilities.

https://github.com/sherlock-audit/2024-10-axion/blob/main/liquidity-amo/contracts/SolidlyV2AMO.sol#L99C1-L100C1

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

By revoking the SETTER_ROLE, the contract will no longer allow any account to call functions that require this role, such as setWhitelistedTokens, setVault, setTokenId, and setParams. This means that once the contract is initialized, it cannot be modified to add or remove whitelisted tokens or adjust other critical parameters.

Specially the setWhitelistedTokens() which was not initialized beforehand.

PoC

No response

Mitigation

Instead of revoking the SETTER_ROLE at the end of the initialize function, consider using the onlyInitializing modifier to restrict the execution of setter functions to the initialization phase only. This way, the role can remain active for the duration of the initialization process, allowing for necessary configurations without permanently locking out the ability to manage the contract's state.
@sherlock-admin2 sherlock-admin2 changed the title Prehistoric Emerald Poodle - Role Revocation in initialize Function in solidityAmo.sol calc1f4r - Role Revocation in initialize Function in solidityAmo.sol Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2