@lazy-sol/access-control-upgradeable 1.1.1 → 1.1.4

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+v1.1.3: Prem's audit and its resolution
+- See the list of issues found and resolved in [the audit resolution doc](./audits/1.1_Prem_resolution.md)
+- See the audit methodology and issues found in [the original audit report](./audits/1.1_final_Prem.pdf)
+
+v1.1.2: do not enable full privileges to zero address on contract initialization
+
 v1.1.0: Contact Size Optimizations
 
 - __Breaking Change:__ Solidity 0.8.4 is now required to compile the contracts (previously was 0.8.2).

package/LICENSE.txt

@@ -1,6 +1,7 @@
 The MIT License (MIT)
 
 Copyright (c) 2017-2024 Basil Gorin
+Copyright (c) 2024–2025 Lazy So[u]l
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

package/README.md

@@ -7,6 +7,10 @@ A shortcut to a modular and easily pluggable dapp architecture.
 Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC)
 into the smart contracts.
 
+## Audit(s)
+* [v1.1 Audit by Prem, January 1–30, 2025](./audits/1.1_final_Prem.pdf)
+  * [Resolution: v1.1 Audit by Prem](./audits/1.1_Prem_resolution.md)
+
 ## Technical Overview
 
 Role-based Access Control (RBAC), or simply Access Control, is the base parent contract to be inherited by other smart
@@ -219,7 +223,23 @@ Examples:
 [ERC20v1](https://raw.githubusercontent.com/vgorin/solidity-template/master/contracts/token/upgradeable/ERC20v1.sol),
 [ERC721v1](https://raw.githubusercontent.com/vgorin/solidity-template/master/contracts/token/upgradeable/ERC721v1.sol).
 
+## Evaluating Currently Enabled Features and Roles on the Deployed Contract
+
+1.  To evaluate currently enabled features use
+    * `features()` function, or
+    * `getRole(this)` function, replacing `this` with the deployed contract address
+2.  To evaluate currently enabled permissions for a **particular** address use
+    * `getRole(address)` function
+3.  To find **all** the addresses having any permissions, track the `RoleUpdated()` event and evaluate the history
+    of `assiged` roles for every `operator` address
+    * Alternatively, use the [tool](ui.html) which automates the process
+      (see demo [here](https://lazy-sol.github.io/access-control/ui.html))
+
 ## See Also
 [Role-based Access Control (RBAC)](https://github.com/lazy-sol/access-control/blob/master/README.md)
 
-(c) 2017–2024 Basil Gorin
+## Contributing
+Please see the [Contribution Guide](https://github.com/lazy-sol/access-control/blob/master/CONTRIBUTING.md) document to get understanding on how to report issues,
+contribute to the source code, fix bugs, introduce new features, etc.
+
+(c) 2017–2025 Basil Gorin

package/audits/1.1_Prem_resolution.md

@@ -0,0 +1,46 @@
+# AccessControlUpgradable: Smart Contract Audit Report Resolution #
+
+## Resolution Summary ##
+
+| ID      |                                                             | Resolution   |
+|---------|-------------------------------------------------------------|--------------|
+| Minor-1 | Insufficient Event Logging in `RoleUpdated`                 | Fixed        |
+| Minor-2 | No Check for `role != 0` in `updateRole`                    | Mitigated    |
+| Notes-1 | Version Constraints with Known Issues                       | Mitigated    |
+| Notes-2 | Visibility Optimization for Gas Savings                     | Fixed        |
+| Notes-3 | Potential Improvement for `FULL_PRIVILEGES_MASK` Assignment | Acknowledged |
+| Notes-4 | Test Coverage                                               | Fixed        |
+
+For issues which were ignored, acknowledged, mitigated, or fixed differently than suggested by the auditor, see the
+[Comments](#comments) section below.
+
+## Comments ##
+
+### Minor-2. No Check for `role != 0` in `updateRole` ###
+To be used as a parent contract for RBAC-based applications, the `AccessControl` contract is originally designed to be
+lightweight, which was improved even further in version 1.1 by introducing the `AccessControlCore` contract.
+
+To minimise contract size, we minimise the number of public functions exposed and use a single public function
+`updateRole` to add, modify, and delete permissions, including self-revoke.
+
+Mitigated by adding an explicit and very well noticeable comment in the SolDoc for `updateRole` function.
+
+### Notes-1. Version Constraints with Known Issues ###
+To allow the use as a parent contract for a wide range of RBAC-based applications, and serve as a Solidity library,
+we try to keep pragma constraint as low as possible. This approach maximizes compatibility.
+
+Mitigated by updating the compiler version to 0.8.28 in `hardhat.config.js`.
+
+### Notes-2. Visibility Optimization for Gas Savings 
+Visibility modifier was changed from `public` to `external` for functions `isFeatureEnabled`, `isSenderInRole`,
+`isOperatorInRole`, `updateFeatures`, `updateRole`, `updateAccessRole`, and `deployNewOwnableToAccessControlAdapter`.
+
+Functions `features`, and `getRole` remain public to be accessible in inheriting contracts.
+
+### Notes-3. Potential Improvement for `FULL_PRIVILEGES_MASK` Assignment ###
+Role-based Access Control (RBAC) library, and its AccessControl* contracts are designed to be a long-term, but still
+temporary solution for the projects evolving in the direction of the fully decentralized operation. RBAC Lifecycle
+assumes that all the permissions are eventually either fully revoked from external participants, or are fully
+transitioned to the DAO governance smart contract.
+
+Thus, further improvements to `FULL_PRIVILEGES_MASK` assignments and management are out of scope for the RBAC library.

package/contracts/InitializableAccessControl.sol

@@ -67,7 +67,7 @@ abstract contract InitializableAccessControl is InitializableAccessControlCore {
 	 * @param required set of features to check against
 	 * @return true if all the features requested are enabled, false otherwise
 	 */
-	function isFeatureEnabled(uint256 required) public view returns (bool) {
+	function isFeatureEnabled(uint256 required) external view returns (bool) {
 		// delegate to internal `_isFeatureEnabled`
 		return _isFeatureEnabled(required);
 	}
@@ -78,7 +78,7 @@ abstract contract InitializableAccessControl is InitializableAccessControlCore {
 	 * @param required set of permissions (role) to check against
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
-	function isSenderInRole(uint256 required) public view returns (bool) {
+	function isSenderInRole(uint256 required) external view returns (bool) {
 		// delegate to internal `_isSenderInRole`
 		return _isSenderInRole(required);
 	}
@@ -90,7 +90,7 @@ abstract contract InitializableAccessControl is InitializableAccessControlCore {
 	 * @param required set of permissions (role) to check
 	 * @return true if all the permissions requested are enabled, false otherwise
 	 */
-	function isOperatorInRole(address operator, uint256 required) public view returns (bool) {
+	function isOperatorInRole(address operator, uint256 required) external view returns (bool) {
 		// delegate to internal `_isOperatorInRole`
 		return _isOperatorInRole(operator, required);
 	}

package/contracts/InitializableAccessControlCore.sol

@@ -130,11 +130,12 @@ abstract contract InitializableAccessControlCore is Initializable {
 	/**
 	 * @dev Fired in updateRole() and updateFeatures()
 	 *
+	 * @param by address which has granted/revoked permissions to operator
 	 * @param operator address which was granted/revoked permissions
 	 * @param requested permissions requested
 	 * @param assigned permissions effectively set
 	 */
-	event RoleUpdated(address indexed operator, uint256 requested, uint256 assigned);
+	event RoleUpdated(address indexed by, address indexed operator, uint256 requested, uint256 assigned);
 
 	/**
 	 * @notice Function modifier making a function defined as public behave as restricted
@@ -174,8 +175,11 @@ abstract contract InitializableAccessControlCore is Initializable {
 	 * @param _features initial features mask of the contract, can be zero
 	 */
 	function _postConstruct(address _owner, uint256 _features) internal virtual onlyInitializing {
-		// grant owner full privileges
-		__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		// if there is a request to set owner (zero address owner means no owner)
+		if(_owner != address(0)) {
+			// grant owner full privileges
+			__setRole(_owner, FULL_PRIVILEGES_MASK, FULL_PRIVILEGES_MASK);
+		}
 		// update initial features bitmask
 		__setRole(address(this), _features, _features);
 	}
@@ -199,7 +203,7 @@ abstract contract InitializableAccessControlCore is Initializable {
 	 *
 	 * @return 256-bit bitmask of the features enabled
 	 */
-	function features() public view returns (uint256) {
+	function features() public view returns(uint256) {
 		// features are stored in 'this' address mapping of `userRoles`
 		return getRole(address(this));
 	}
@@ -213,9 +217,9 @@ abstract contract InitializableAccessControlCore is Initializable {
 	 *
 	 * @param _mask bitmask representing a set of features to enable/disable
 	 */
-	function updateFeatures(uint256 _mask) public {
-		// delegate call to `updateRole`
-		updateRole(address(this), _mask);
+	function updateFeatures(uint256 _mask) external {
+		// delegate to internal `_updateRole()`
+		_updateRole(address(this), _mask);
 	}
 
 	/**
@@ -240,22 +244,34 @@ abstract contract InitializableAccessControlCore is Initializable {
 	 * @notice Updates set of permissions (role) for a given user,
 	 *      taking into account sender's permissions.
 	 *
-	 * @dev Setting role to zero is equivalent to removing an all permissions
+	 * @dev Setting role to zero is equivalent to removing all the permissions
 	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
 	 *      copying senders' permissions (role) to the user
 	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
 	 *
+	 * ╔════════════════════════════════════════════════════════════════════════╗
+	 * ║                WARNING: RISK OF ACCIDENTAL SELF-REVOKE                 ║
+	 * ╠════════════════════════════════════════════════════════════════════════╣
+	 * ║  updateRole function is used to add, update, delete permissions, to    ║
+	 * ║  revoke and self-revoke all the permissions, as well as to disable     ║
+	 * ║  contract upgradability by revoking ROLE_UPGRADE_MANAGER permission    ║
+	 * ║                                                                        ║
+	 * ║  updateRole(msg.sender, 0) executed by a super admin themselves        ║
+	 * ║  revokes super admin permissions forever if there is no other super    ║
+	 * ║  admin set prior to updateRole(msg.sender, 0) call                     ║
+	 * ║                                                                        ║
+	 * ║  Note that in such a case upgradeable contracts also stop being        ║
+	 * ║  upgradable as ROLE_UPGRADE_MANAGER permission is revoked              ║
+	 * ╚════════════════════════════════════════════════════════════════════════╝
+	 *
 	 * @param operator address of a user to alter permissions for,
 	 *       or self address to alter global features of the smart contract
 	 * @param role bitmask representing a set of permissions to
 	 *      enable/disable for a user specified
 	 */
-	function updateRole(address operator, uint256 role) public {
-		// caller must have a permission to update user roles
-		_requireSenderInRole(ROLE_ACCESS_MANAGER);
-
-		// evaluate the role and reassign it
-		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	function updateRole(address operator, uint256 role) external {
+		// delegate to internal `_updateRole()`
+		_updateRole(operator, role);
 	}
 
 	/**
@@ -367,6 +383,28 @@ abstract contract InitializableAccessControlCore is Initializable {
 		return __hasRole(getRole(operator), required);
 	}
 
+	/**
+	 * @dev Updates set of permissions (role) for a given user,
+	 *      taking into account sender's permissions.
+	 *
+	 * @dev Setting role to zero is equivalent to removing all the permissions
+	 * @dev Setting role to `FULL_PRIVILEGES_MASK` is equivalent to
+	 *      copying senders' permissions (role) to the user
+	 * @dev Requires transaction sender to have `ROLE_ACCESS_MANAGER` permission
+	 *
+	 * @param operator address of a user to alter permissions for,
+	 *       or self address to alter global features of the smart contract
+	 * @param role bitmask representing a set of permissions to
+	 *      enable/disable for a user specified
+	 */
+	function _updateRole(address operator, uint256 role) internal {
+		// caller must have a permission to update user roles
+		_requireSenderInRole(ROLE_ACCESS_MANAGER);
+
+		// evaluate the role and reassign it
+		__setRole(operator, role, _evaluateBy(msg.sender, getRole(operator), role));
+	}
+
 	/**
 	 * @dev Sets the `assignedRole` role to the operator, logs both `requestedRole` and `actualRole`
 	 *
@@ -387,7 +425,7 @@ abstract contract InitializableAccessControlCore is Initializable {
 		userRoles[operator] = assignedRole;
 
 		// fire an event
-		emit RoleUpdated(operator, requestedRole, assignedRole);
+		emit RoleUpdated(msg.sender, operator, requestedRole, assignedRole);
 	}
 
 	/**

package/contracts/UpgradeableAccessControlCore.sol

@@ -73,7 +73,7 @@ abstract contract UpgradeableAccessControlCore is InitializableAccessControlCore
 	 *
 	 * @return the current implementation address
 	 */
-	function getImplementation() public view virtual returns (address) {
+	function getImplementation() external view virtual returns (address) {
 		// delegate to `ERC1967Upgrade._getImplementation()`
 		return _getImplementation();
 	}

package/contracts/mocks/UpgradeableAccessControlMocks.sol

@@ -22,6 +22,10 @@ contract UpgradeableAccessControl1 is UpgradeableAccessControlMock {
 	string public version1;
 
 	function postConstruct(address _owner, uint256 _features) public virtual initializer {
+		postConstructNonInit(_owner, _features);
+	}
+
+	function postConstructNonInit(address _owner, uint256 _features) public virtual {
 		_postConstruct(_owner, _features);
 		version1 = "1";
 	}
@@ -31,6 +35,10 @@ contract UpgradeableAccessControl2 is UpgradeableAccessControlMock {
 	string public version2;
 
 	function postConstruct(address _owner, uint256 _features) public virtual initializer {
+		postConstructNonInit(_owner, _features);
+	}
+
+	function postConstructNonInit(address _owner, uint256 _features) public virtual {
 		_postConstruct(_owner, _features);
 		version2 = "2";
 	}

package/hardhat.config.js

@@ -50,7 +50,7 @@ module.exports = {
 		// https://hardhat.org/guides/compile-contracts.html
 		compilers: [
 			{
-				version: "0.8.4",
+				version: "0.8.28",
 				settings: {
 					optimizer: {
 						enabled: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lazy-sol/access-control-upgradeable",
-  "version": "1.1.1",
+  "version": "1.1.4",
   "description": "Enable the modular plug and play (PnP) architecture for your dapp by incorporating the role-based access control (RBAC) into the smart contracts",
   "main": "index.js",
   "scripts": {
@@ -25,17 +25,19 @@
     "@openzeppelin/contracts-upgradeable": "4.9.6"
   },
   "devDependencies": {
-    "@lazy-sol/a-missing-gem": "^1.0.10",
+    "@lazy-sol/a-missing-gem": "^1.0.12",
     "@lazy-sol/zeppelin-test-helpers": "^1.0.5",
     "@nomiclabs/hardhat-truffle5": "^2.0.7",
     "@openzeppelin/contracts": "4.9.6",
-    "hardhat": "^2.22.13",
+    "hardhat": "^2.25.0",
     "hardhat-dependency-injector": "^1.0.1",
     "hardhat-gas-reporter": "^1.0.10",
-    "solidity-coverage": "^0.8.13"
+    "solidity-coverage": "^0.8.16"
   },
   "overrides": {
     "axios": ">=1.7.5",
+    "cookie": ">=0.7.0",
+    "elliptic": "^6.6.0",
     "micromatch": "^4.0.8",
     "tar": "^6.2.1",
     "tough-cookie": "^4.1.3",

package/test/include/rbac.behaviour.js

@@ -59,23 +59,34 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 			beforeEach(async function() {
 				access_control = await deployment_fn.call(this, a0, owner, features);
 			});
-			it('"RoleUpdated(owner)" event is emitted correctly', async function() {
-				await expectEvent.inConstruction(access_control, "RoleUpdated", {
-					operator: owner,
-					requested: FULL_PRIVILEGES_MASK,
-					assigned: FULL_PRIVILEGES_MASK,
+			if(owner !== ZERO_ADDRESS) {
+				it('"RoleUpdated(owner)" event is emitted correctly', async function() {
+					await expectEvent.inConstruction(access_control, "RoleUpdated", {
+						by: a0,
+						operator: owner,
+						requested: FULL_PRIVILEGES_MASK,
+						assigned: FULL_PRIVILEGES_MASK,
+					});
 				});
-			});
+			}
 			it('"RoleUpdated(this)" event is emitted correctly', async function() {
 				await expectEvent.inConstruction(access_control, "RoleUpdated", {
+					by: a0,
 					operator: access_control.address,
 					requested: features,
 					assigned: features,
 				});
 			});
-			it("owners' role is set correctly", async function() {
-				expect(await access_control.getRole(owner)).to.be.bignumber.that.equals(FULL_PRIVILEGES_MASK);
-			});
+			if(owner !== ZERO_ADDRESS) {
+				it("owners' role is set correctly", async function() {
+					expect(await access_control.getRole(owner)).to.be.bignumber.that.equals(FULL_PRIVILEGES_MASK);
+				});
+			}
+			else {
+				it("owners' role is not set", async function() {
+					expect(await access_control.getRole(owner)).to.be.bignumber.that.equals("0");
+				});
+			}
 			it("features are set correctly", async function() {
 				expect(await access_control.features()).to.be.bignumber.that.equals(features);
 			});
@@ -125,6 +136,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: set,
@@ -148,6 +160,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: not(remove),
@@ -173,6 +186,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: "0",
@@ -197,6 +211,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: MAX_UINT256,
@@ -228,6 +243,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: set,
 									assigned: role.and(set),
@@ -252,6 +268,7 @@ function behavesLikeRBAC(deployment_fn, a0, a1, a2) {
 							});
 							it('"RoleUpdated" event', async function() {
 								expectEvent(receipt, "RoleUpdated", {
+									by,
 									operator: to_fn(to),
 									requested: not(remove),
 									assigned: not(role.and(remove)),

package/test/rbac_upgradeable.js

@@ -54,6 +54,9 @@ contract("UpgradeableAccessControl (U-RBAC) Core tests", function(accounts) {
 	it("it is impossible to re-initialize", async function() {
 		await expectRevert(ac.postConstruct(ZERO_ADDRESS, 0, {from: a0}), "Initializable: contract is already initialized");
 	});
+	it("it is impossible to postConstruct non-initializing", async function() {
+		await expectRevert(ac.postConstructNonInit(ZERO_ADDRESS, 0, {from: a0}), "Initializable: contract is not initializing");
+	});
 	describe("when there is new (v2) implementation available", function() {
 		let impl2;
 		beforeEach(async function() {