update grant role to revoke personal deployer admin#56
update grant role to revoke personal deployer admin#56nguyennk92 wants to merge 2 commits intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| v3automation.grantRole(v3automation.DEFAULT_ADMIN_ROLE(), multisig); | ||
| v3automation.grantRole(v3automation.ADMIN_ROLE(), multisig); | ||
| v3automation.revokeRole(v3automation.ADMIN_ROLE(), deployerAddress); | ||
| v3automation.revokeRole(v3automation.DEFAULT_ADMIN_ROLE(), deployerAddress); |
There was a problem hiding this comment.
Script revokes from wrong address, causing failure
High Severity
The scripts try to revoke roles from deployerAddress (derived from PRIVATE_KEY) and assume this address has DEFAULT_ADMIN_ROLE. However, during initialization in Init.s.sol, roles are granted to the WITHDRAWER address (via admin in CommonScript), not the deployer. If these addresses differ, the grantRole calls will revert because deployerAddress lacks admin permissions, and even if they succeed, the revokeRole calls would revoke from the wrong account—failing to remove the actual admin's privileges.
Additional Locations (1)
| grant-role-v3automation: v3automation | ||
| forge script script/GrantRole.s.sol:V3AutomationGrantRoleScript --rpc-url $(RPC_URL) --broadcast --legacy --gas-price 0 | ||
| grant-role-v3utils: v3utils | ||
| forge script script/GrantRole.s.sol:V3UtilsGrantRoleScript --rpc-url $(RPC_URL) --broadcast --legacy --gas-price 0 |
There was a problem hiding this comment.
Makefile references removed grant-role target
Medium Severity
The deploy-everything target calls make grant-role on line 62, but this target was renamed to grant-role-v3automation in the same diff. Running make deploy-everything will fail at this step. Additionally, the new grant-role-v3utils target is not included, so even if corrected to call only grant-role-v3automation, the V3Utils contract wouldn't have its roles configured.
1 participant
Note
Medium Risk
Touches access-control administration by granting/revoking
DEFAULT_ADMIN_ROLE/ADMIN_ROLE; a misconfiguredMULTISIGor execution on the wrong deployment address could lock out admin control.Overview
Moves post-deploy role management toward multisig custody by updating
GrantRole.s.solto grantDEFAULT_ADMIN_ROLE/ADMIN_ROLEtoMULTISIGand revoke those roles from the deployer address (derived fromPRIVATE_KEY), and adds a newV3UtilsGrantRoleScriptalongside the existingV3Automationflow.Updates tooling/config to support this: the Makefile now exposes
grant-role-v3automationandgrant-role-v3utilstargets,sample.envaddsMULTISIG, andcontracts.jsonadds additional chain-id entries (130,999,43114).Written by Cursor Bugbot for commit 1457ea3. This will update automatically on new commits. Configure here.