DEFAULT_ADMIN_ROLE functionality in Cairo

Fernando_Velazquez · September 26, 2024, 12:30pm

Hello dear all,

In the Cairo documentation related to Access Control https://docs.openzeppelin.com/contracts-cairo/0.15.0/access it states that the DEFAULT_ADMIN_ROLE acts as the default admin role for all roles. An account with this role will be able to manage any other role, unless _set_role_admin is used to select a new admin role.

My question is that when we use the _set_role_admin to select a new admin role, if the DEFAULT_ADMIN_ROLE is still active there. If yes, I dont know if there are security recommendations on how to handle it because this controls all the roles and be dangerous.

Thanks in advance,

Skyge · October 2, 2024, 11:04am

Yes.

I think no.
There is a test case about this, you can have a look:

github.com

OpenZeppelin/cairo-contracts/blob/main/packages/access/src/tests/test_accesscontrol.cairo#L425C1-L432C2


      
          #[test]
          #[should_panic(expected: ('Caller is missing role',))]
          fn test_previous_admin_cannot_grant_roles() {
              let mut state = setup();
              state.set_role_admin(ROLE, OTHER_ROLE);
              start_cheat_caller_address(test_address(), ADMIN());
              state.grant_role(ROLE, AUTHORIZED());
          }

There is a solidity version that manages the DEFAULT_ADMIN_ROLE holder, maybe you can have a look:

github.com

OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/extensions/AccessControlDefaultAdminRules.sol

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.0.0) (access/extensions/AccessControlDefaultAdminRules.sol)

pragma solidity ^0.8.20;

import {IAccessControlDefaultAdminRules} from "./IAccessControlDefaultAdminRules.sol";
import {AccessControl, IAccessControl} from "../AccessControl.sol";
import {SafeCast} from "../../utils/math/SafeCast.sol";
import {Math} from "../../utils/math/Math.sol";
import {IERC5313} from "../../interfaces/IERC5313.sol";

/**
 * @dev Extension of {AccessControl} that allows specifying special rules to manage
 * the `DEFAULT_ADMIN_ROLE` holder, which is a sensitive role with special permissions
 * over other roles that may potentially have privileged rights in the system.
 *
 * If a specific role doesn't have an admin role assigned, the holder of the
 * `DEFAULT_ADMIN_ROLE` will have the ability to grant it and revoke it.
 *
 * This contract implements the following risk mitigations on top of {AccessControl}:

This file has been truncated. show original

Fernando_Velazquez · October 3, 2024, 11:26am

@Skyge Thanks a lot for your help!

Topic		Replies	Views
ERC20 Roles Support Contracts	2	341	December 18, 2023
Issues with DEFAULT_ADMIN_ROLE and modifier not working Contracts erc721 , solidity , etherscan-verify	10	1012	February 1, 2023
Problem with the DEFAULT_ADMIN_ROLE Support	3	1877	August 6, 2021
Trying to add a DEFAULT_ADMIN_ROLE Smart Contracts	1	496	December 1, 2023
Contracts-upgradeable and AccessControl DEFAULT_ADMIN_ROLE Upgrades proxies	4	1496	June 17, 2021

DEFAULT_ADMIN_ROLE functionality in Cairo

Related Topics