#49250 [SC-Insight] `AccessControl`: unnecessary box usage in `_grant_role`

Submitted on Jul 13th 2025 at 19:10:11 UTC by @ustas for Audit Comp | Folks Smart Contract Library

• Report ID: #49250

• Report Type: Smart Contract

• Report severity: Insight

• Target: https://github.com/Folks-Finance/algorand-smart-contract-library/blob/main/contracts/library/AccessControl.py

• Impacts:

Description

Description

When grant_role is called, the internal _grant_role subroutine explicitly sets the admin of a role to default_admin_role.

    @subroutine
    def _grant_role(self, role: Bytes16, account: Address) -> Bool:
        # if new role then add the default admin role
        if role not in self.roles:
            self.roles[role] = self.default_admin_role()

However, this explicit storage change is redundant. The get_role_admin function returns default_admin_role if a role's admin is not found in the roles box. This provides an implicit default.

    @abimethod(readonly=True)
    def get_role_admin(self, role: Bytes16) -> Bytes16:
        """Returns the admin role that controls a role

        Args:
            role: The role to get its admin of

        Returns:
            The role admin
        """
        if role not in self.roles:
            return self.default_admin_role()
        return self.roles[role]

Remediation

Remove the if condition block in _grant_role.

Proof of Concept

Proof of Concept

1. Add any new role

2. There's a storage write