59330 sc insight rescuer role not assigned during initialization
Description
Brief/Intro
Vulnerability Details
function initialize(
IERC20 _asset,
string memory _name,
string memory _symbol,
bytes memory _initParams
) public initializer {
InitParams memory initParams = abi.decode(_initParams, (InitParams));
__ERC20_init(_name, _symbol);
__ERC4626_init(_asset);
__Pausable_init();
__ReentrancyGuard_init();
__AccessControl_init();
if (address(_asset) == address(0)) {
revert InvalidAssetAddress();
}
if (initParams.depositLimit == 0) {
revert InvalidDepositLimit();
}
if (initParams.periodConfigurationDuration == 0) {
revert InvalidPeriodConfigurationDuration();
}
if (initParams.defaultAdmin == address(0)) {
revert InvalidAdminAddress();
}
depositLimit = initParams.depositLimit;
_addPeriodConfiguration(Time.timestamp(), initParams.periodConfigurationDuration);
contractVersion = 1;
_grantRole(DEFAULT_ADMIN_ROLE, initParams.defaultAdmin);
if (initParams.limitUpdater != address(0)) {
_grantRole(DEPOSIT_LIMIT_UPDATE_ROLE, initParams.limitUpdater);
}
if (initParams.blocklister != address(0)) {
_grantRole(BLOCKLIST_ROLE, initParams.blocklister);
}
if (initParams.pauser != address(0)) {
_grantRole(PAUSE_ROLE, initParams.pauser);
}
if (initParams.periodConfigurationUpdater != address(0)) {
_grantRole(PERIOD_CONFIGURATION_UPDATE_ROLE, initParams.periodConfigurationUpdater);
}
@> // @audit-info where is RESCUER_ROLE
}Impact Details
References
Proof of Concept
Proof of Concept
Previous59334 sc low periodattimestamp function uses current timestamp instead of input parameter causing incorrect period calculation for historical or future queriesNext59298 sc low function periodattimestamp ignores the input timestamp returning the current period instead
Was this helpful?