Dual Execution via ID Collision
Summary
Both regular and emergency operations use the same ID generation logic but are stored in separate mappings (_operations and _emergencyActions). This allows An operation to exist simultaneously in both mappings.
-
The same transaction batch to be executed twice:
Once via
executeEmergencyAction(immediately, bypassing timelock)Again via
executeBatch(after timelock delay)
Vulnerability Details
Step-by-Step Exploit
Create Colliding ID:
Proposer creates a regular operation with parameters(targets, values, calldatas, salt), generating IDX.Schedule Emergency Action:
Emergency role schedules an emergency action with the same parameters, reusing IDX.Execute via Emergency:
Execute via Regular:
After timelock delay:
executeEmergencyAction doesn't check regular operations and executeBatch doesn't check emergency actions
Impact
If the operation sends 100 ETH to an address:
Attacker executes it twice, draining 200 ETH instead of 100 ETH.
Tools Used
Foundry
Recommendations
Add a type discriminator to the ID hashing to prevent collisions
Lead Judging Commences
TimelockController.executeEmergencyAction doesn't mark operations as executed, allowing the same operation to be executed again through the regular path
TimelockController.executeEmergencyAction doesn't mark operations as executed, allowing the same operation to be executed again through the regular path
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.