fibonacci - Owner and admin roles in TitlesGraph are not initialized

[sherlock-admin3]

fibonacci

high

Owner and admin roles in TitlesGraph are not initialized

Summary

The TitlesGraph contract is intended to be upgradable. However, the owner and admin roles are assigned within the constructor. This implies that they will be initialized in the implementation storage, leaving the proxy storage unaffected.

Vulnerability Detail

constructor(address owner_, address admin_) {
    _initializeOwner(owner_);
    _grantRoles(admin_, ADMIN_ROLE);
}

Impact

Neither the owner nor the admin of the TitlesGraph contract has the ability to manage it.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/graph/TitlesGraph.sol#L52-L55

Tool used

Manual Review

Recommendation

Assign owner and admin roles within an initialization function.

Duplicate of #148

[0xf1b0]

Escalate

This is not a duplicate of #272.

This issue leaves the TitlesGraph contract without an owner, and it appears to me that it should be considered high severity.

[sherlock-admin3]

Escalate

This is not a duplicate of #272.

This issue leaves the TitlesGraph contract without an owner, and it appears to me that it should be considered high severity.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[WangSecurity]

Indeed, the watsons are correct here, planning to accept the escalation and create a new family of medium severity with the core issue of "roles are set incorrectly or not set at all" and duplicate with #148 (also in #148 you can see a more comprehensive list of duplicates).

[Evert0x]

Result:
Medium
Duplicate of #148

[sherlock-admin4]

Escalations have been resolved successfully!

Escalation status:

• 0xf1b0: accepted