FV-SOL-4-C2 Unrestricted Role Assignment

TLDR

If a function to set an owner or assign roles is public or lacks access control, anyone can call it, potentially taking control of the contract

Game

Your task is to identify how unauthorized users might exploit this contract to assign themselves privileged access. The assignPrivilege function seems simple, but there’s more to consider in how it’s secured.

// SPDX-License-Identifier: MIT
// Open me in VSCode and really think before opening the hints!
// Add @audit tags wherever suspicious
// Go to the solidity docs to complete missing knowledge of what's happening here
// Solve by drafting a fix!
pragma solidity ^0.8.0;

contract RoleAssignmentGame {
    address public admin;
    mapping(address => bool) public privilegedUsers;

    constructor() {
        admin = msg.sender;
    }

    function assignPrivilege(address user) public {
        privilegedUsers[user] = true;
    }

    function restrictedFunction() public view returns (string memory) {
        require(privilegedUsers[msg.sender], "Access denied");
        return "Privileged access granted!";
    }
}

Ask yourself if any user could call assignPrivilege and what might happen if they did so.

function assignPrivilege(address user) public {
    require(msg.sender == admin, "Only admin can assign privileges"); // Fix: access control
    privilegedUsers[user] = true;
}

PreviousFV-SOL-4-C1 Using tx.origin for Authorization NextFV-SOL-4-C3 Lack of Multi-Signature for Crucial Operations

Last updated 7 months ago

Was this helpful?