Era

Summary

When an approved proposal has a non-zero executor, its execution is entirely dependent on the specified executor address. If the executor fails to execute the proposal (whether intentionally or unintentionally) the proposal may remain in a ready status for an extended period. Later, when the protocol's state has changed significantly, executing this proposal could have unintended and substantial effects on the protocol's functionality.

Vulnerability Details

Imagine a proposal has been approved by the security council or guardians, and its proposal.executor is non-zero, meaning only the address specified in proposal.executor can execute the proposal.
Link to code

If for any reason the executor fails to execute the proposal (whether due to unwillingness, incapacity, or compromise) the proposal will remain in the ready status.

At some point in the future, even after many protocol upgrades, the executor may decide to execute the proposal. Since the proposal is still in the ready state (as it was previously approved by the security council or guardians), it can be executed at any time. However, by this time, the protocol's state may have changed considerably, and executing a proposal created long ago could have a significant and unintended impact on the protocol.

Moreover, since there is no mechanism to cancel an approved proposal and no set deadline for its execution, safeguarding against such scenarios is not straightforward.

Impact

Old, approved proposals that have not been executed can be carried out at any time by the proposal.executor, potentially altering the protocol's status in ways that were never intended, especially if the protocol has evolved considerably since the proposal’s approval.

Tools Used

Recommendations

Proposals, particularly those with a non-zero executor, should have a defined deadline for execution to prevent them from being executed long after their approval, especially if the protocol’s state has changed in the meantime.