Summary

The ProtocolUpgradeHandler contract lacks a mechanism to expire or cancel proposals that have reached the Ready state, allowing a malicious executor to indefinitely delay critical protocol upgrades by never executing them.

Vulnerability Details

Once a proposal reaches the Ready state through either guardian or Security Council approval, it remains in this state indefinitely until executed:

Note that proposal executors are not trusted actors as the can be anybody as set by the creator of the proposal.

Key issues are:

• No expiration for proposals in Ready state

• No way to cancel or override a ready proposal

• No way to change the executor once proposal is created

• No maximum timeframe for execution

Impact

A malicious or compromised executor could:

1. Block critical protocol upgrades indefinitely

2. Force the protocol to either:

   • Wait indefinitely for execution

   • Create a new proposal with a different executor, risking double-execution if the first proposal is eventually executed

3. Hold the protocol hostage during time-sensitive upgrades

4. Allow proposals to become outdated or irrelevant while preventing new ones from being proposed

The impact is severe as it could prevent necessary protocol improvements or security fixes from being implemented in a timely manner.

Tools Used

Manual review

Recommendation

Consider Implementing one or more of the following safeguards:

1. Add an execution deadline after which proposals expire

2. Allow guardians or Security Council to cancel proposals that have been in Ready state too long

3. Allow changing the executor through a governance process if a proposal has been in Ready state for too long.