Calling to revert #430
Description
While I was going through the MultiRolesAuthority.sol I've noticed something interesting in setTargetCustomAuthority function . I've noticed that an authorized user can set any address as customAuthority as long as the address points to an implementation of Authority . So far so good, no issues.
function setTargetCustomAuthority(address target, Authority customAuthority) public virtual requiresAuth {
getTargetCustomAuthority[target] = customAuthority;
emit TargetCustomAuthorityUpdated(target, customAuthority);
}But things get interesting if the customAuthority is set to the MultiRolesAuthority contract without overwriting the canCall function.
function canCall(
address user,
address target,
bytes4 functionSig
) public view virtual override returns (bool) {
Authority customAuthority = getTargetCustomAuthority[target];
if (address(customAuthority) != address(0)) return customAuthority.canCall(user, target, functionSig);
return
isCapabilityPublic[functionSig] || bytes32(0) != getUserRoles[user] & getRolesWithCapability[functionSig];
}
As anyone/anything can call canCall() static function , it gets a recursive call over and over to itself, until all gases are consumed and the call is reverted
Test Code
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.28;
import {Test, console} from "forge-std/Test.sol";
import {MultiRolesAuthority} from "../lib/solmate/src/auth/authorities/MultiRolesAuthority.sol";
import {Authority} from "../lib/solmate/src/auth/Auth.sol";
contract t1 is MultiRolesAuthority {
constructor(address _owner, Authority _authority) MultiRolesAuthority(_owner, _authority) {}
}
contract myTest is Test {
t1 public _t;
function setUp() public {
_t = new t1(address(makeAddr("owner")), Authority(address(0)));
vm.startPrank(makeAddr("owner"));
_t.setTargetCustomAuthority(address(123), _t);
vm.stopPrank();
}
function test_() public {
_t.canCall(address(makeAddr("anyone")), address(123), bytes4(0x0));
}
}
Output
