# #49250 \[SC-Insight] \`AccessControl\`: unnecessary box usage in \`\_grant\_role\`

**Submitted on Jul 13th 2025 at 19:10:11 UTC by @ustas for** [**Audit Comp | Folks Smart Contract Library**](https://immunefi.com/audit-competition/folks-sc-library)

* **Report ID:** #49250
* **Report Type:** Smart Contract
* **Report severity:** Insight
* **Target:** <https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/AccessControl.py>
* **Impacts:**

## Description

## Description

When `grant_role` is called, the internal `_grant_role` subroutine explicitly sets the admin of a `role` to `default_admin_role`.

```py
    @subroutine
    def _grant_role(self, role: Bytes16, account: Address) -> Bool:
        # if new role then add the default admin role
        if role not in self.roles:
            self.roles[role] = self.default_admin_role()
```

However, this explicit storage change is redundant. The `get_role_admin` function returns `default_admin_role` if a role's admin is not found in the `roles` box. This provides an implicit default.

```py
    @abimethod(readonly=True)
    def get_role_admin(self, role: Bytes16) -> Bytes16:
        """Returns the admin role that controls a role

        Args:
            role: The role to get its admin of

        Returns:
            The role admin
        """
        if role not in self.roles:
            return self.default_admin_role()
        return self.roles[role]
```

## Remediation

Remove the `if` condition block in `_grant_role`.

## Proof of Concept

## Proof of Concept

1. Add any new role
2. There's a storage write


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/folks-smart-contract-library/49250-sc-insight-accesscontrol-unnecessary-box-usage-in-_grant_role.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.