Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

setSentinel actually adds sentinel #108

Open
code423n4 opened this issue Nov 18, 2021 · 3 comments
Open

setSentinel actually adds sentinel #108

code423n4 opened this issue Nov 18, 2021 · 3 comments
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Handle

pauliax

Vulnerability details

Impact

Please note that function setSentinel does not actually remove an existing sentinel but adds a new address with this role. I am not sure if this is intended behavior and you are aware of this, but the function name is a bit misleading in my opinion, so submitting this FYI. Anyway, roles can be managed directly if necessary (grantRole/revokeRole).
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Nov 18, 2021
code423n4 added a commit that referenced this issue Nov 18, 2021
@code423n4
pauliax issue #108
1b0633b
@Xuefeng-Zhu Xuefeng-Zhu added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Nov 23, 2021
@Xuefeng-Zhu
Copy link
Collaborator

AccessControl.sol provides function to revoke role

@0xleastwood
Copy link
Collaborator

0xleastwood commented Dec 21, 2021
edited

I don't think the sponsor is understanding the issue. There seems to be a mismatch with the naming of setSentinel and the actual behaviour. Multiple sentinel accounts can be given access to the SENTINEL_ROLE. I fully understand if the sponsor is aware and has acknowledged the issue, but for judging purposes, I will leave this as is.

@Xuefeng-Zhu
Copy link
Collaborator

I am going to remove setSentinel function, since it can be managed by AccessControl directly

@Xuefeng-Zhu Xuefeng-Zhu added the resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Xuefeng-Zhu @0xleastwood @code423n4