Active Boosts

#49250 [SC-Insight] `AccessControl`: unnecessary box usage in `_grant_role`

Submitted on Jul 13th 2025 at 19:10:11 UTC by @ustas for Audit Comp | Folks Smart Contract Library

  • Report ID: #49250

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/AccessControl.py

  • Impacts:

Description

Description

When grant_role is called, the internal _grant_role subroutine explicitly sets the admin of a role to default_admin_role.

    @subroutine
    def _grant_role(self, role: Bytes16, account: Address) -> Bool:
        # if new role then add the default admin role
        if role not in self.roles:
            self.roles[role] = self.default_admin_role()

However, this explicit storage change is redundant. The get_role_admin function returns default_admin_role if a role's admin is not found in the roles box. This provides an implicit default.

    @abimethod(readonly=True)
    def get_role_admin(self, role: Bytes16) -> Bytes16:
        """Returns the admin role that controls a role

        Args:
            role: The role to get its admin of

        Returns:
            The role admin
        """
        if role not in self.roles:
            return self.default_admin_role()
        return self.roles[role]

Remediation

Remove the if condition block in _grant_role.

Proof of Concept

Proof of Concept

  1. Add any new role

  2. There's a storage write

Previous#49075 [SC-Low] `SetLib.remove_item()` is not safe on empty Dynamic arraysNext#49390 [SC-Low] `UInt64SetLib#remove_item` would revert if the item is empty

Was this helpful?