fix(roles): reject revokeRole on sole admin (BOP-196)#91
Merged
Conversation
Without this guard, revokeRole(DEFAULT_ADMIN_ROLE, soleAdmin) succeeds silently: the admin role is cleared, adminCount drops to 0, and every future admin operation reverts unauthorized. No LastAdminRenounced event fires, so off-chain consumers see no signal that the token has reached its terminal admin-less state. Adds the same last-admin guard already present in renounceRole: when role == DEFAULT_ADMIN_ROLE, the target holds it, and adminCount == 1, revert LastAdminCannotRenounce. The renounceLastAdmin() path remains the only legitimate way to remove the final admin, and it emits the explicit terminal signal. Per Slack consensus from Conner: error when admin count is 1. Test added: test_revokeRole_revert_lastAdmin demonstrates the bug + verifies the fix; complemented by test_revokeRole_success_revokesNonSoleAdmin which pins the multi-admin-allowed case. Existing _success_ tests update their natspec to reference the new guard instead of the (previously-wrong) reasoning. Mock suite: 501/0/0. Note: the Rust precompile has the same bug — the new test currently fails in fork mode and will flip to passing once base/base ships the mirror fix (BOP-197, assigned to Andreas).
amiecorso
changed the title
revokeRole on sole admin (BOP-196)
Collapse short assertEq calls onto single lines per forge fmt. Fixes the CI format check on PR #91. Test behavior is unchanged.
Collaborator
ilikesymmetry
left a comment
ilikesymmetry
left a comment
There was a problem hiding this comment.
Thanks! Can we confirm we also have this logic built in for renounceRole? renouceLastAdmin should be the only path to remove last admin
Contributor
|
refcell
approved these changes
May 28, 2026
amiecorso
added a commit
that referenced
this pull request
May 28, 2026
…createB20 Adds differential check-order tests for the remaining multi-precondition functions on the B20 surface: renounceRole, renounceLastAdmin, updatePolicy, updateSupplyCap, updateSecurityIdentifier, announce, and createB20 (STABLECOIN + SECURITY arms). All 13 new tests pass in mock and fork mode — no new Rust divergences surfaced. The 5 known divergences from the earlier commit are unchanged. revokeRole is the one multi-precondition function intentionally not covered here: its only interesting pair is ROLE vs LAST-ADMIN, but the LAST-ADMIN guard is being added in PR #91 (BOP-196) and the test will land alongside that fix to avoid a stranded mock-mode failure. Coverage now: 67 tests across 17 files. Fork: 62 pass / 5 fail (same 5 divergences as before).
amiecorso
added a commit
that referenced
this pull request
May 28, 2026
Now that PR #91 (BOP-196) has merged into main and through to this branch via the merge commit, the revokeRole LAST-ADMIN guard exists in MockB20. Adds the deferred ROLE-vs-LAST-ADMIN pair test. Both mock and fork pass: in both backends the role-admin check fires before the body's last-admin check, so the canonical ordering holds. Coverage now: 68 tests across 18 files. Fork: 63 pass / 5 fail (same 5 long-known divergences).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes BOP-196.
revokeRole(DEFAULT_ADMIN_ROLE, soleAdmin)succeeded silently before this PR.The dedicated
renounceLastAdmin()path was intended to be the only legitimate way to remove the final admin —renounceRolealready has the equivalent guard.revokeRolewas missing it.The fix
Mirror the existing
renounceRoleguard insiderevokeRole:Tests
test_revokeRole_revert_lastAdmin(NEW): regression coverage for the bug. The exact test that should have existed from day one — it would have caught this immediately. Fails without the fix, passes with it.test_revokeRole_success_revokesNonSoleAdmin(NEW): pins the multi-admin-allowed case so the guard isn't over-restrictive._success_tests retain theirvm.assume(!(role == DEFAULT_ADMIN_ROLE && account == admin))exclusion (the case is now covered by the dedicated revert test), with natspec updated to reference the new guard instead of the old (incorrect) "would require renounceLastAdmin instead" reasoning.How was this missed before?
Same pattern as the audit findings in PR #89: every existing
test_revokeRole_success_*hadvm.assume(!(role == DEFAULT_ADMIN_ROLE && account == admin))— an exclusion based on the test author's incorrect mental model of the code. The comment even spelled out the wrong assumption: "would require renounceLastAdmin instead." The implementation enforced no such thing, and thevm.assumeprecisely excluded the bug-housing input from fuzz.