If a function to set an owner or assign roles is public or lacks access control, anyone can call it, potentially taking control of the contract
Game
Your task is to identify how unauthorized users might exploit this contract to assign themselves privileged access. The assignPrivilege function seems simple, but there’s more to consider in how it’s secured.
// SPDX-License-Identifier: MIT// Open me in VSCode and really think before opening the hints!// Add @audit tags wherever suspicious// Go to the solidity docs to complete missing knowledge of what's happening here// Solve by drafting a fix!pragmasolidity ^0.8.0;contract RoleAssignmentGame {addresspublic admin;mapping(address=>bool) public privilegedUsers;constructor() { admin = msg.sender; }functionassignPrivilege(address user) public { privilegedUsers[user] =true; }functionrestrictedFunction() publicviewreturns (stringmemory) {require(privilegedUsers[msg.sender],"Access denied");return"Privileged access granted!"; }}
When thinking about role assignment, consider who should ideally have control over this function and whether this is enforced here.
Ask yourself if any user could call assignPrivilege and what might happen if they did so.
functionassignPrivilege(address user) public {require(msg.sender == admin,"Only admin can assign privileges"); // Fix: access control privilegedUsers[user] =true;}