Submission Details
Severity:
Predecessor is hardcoded to zero
Summary
The predecessor is hardcode to zero address when queueing a proposal
Vulnerability Details
The queueProposal allow queueing a proposal
function _queueProposal(uint256 proposalId) internal {
ProposalCore storage proposal = _proposals[proposalId];
bytes32 salt = proposal.descriptionHash;
bytes32 id = _timelock.hashOperationBatch(
proposal.targets,
proposal.values,
proposal.calldatas,
bytes32(0),
salt
);
// Check if already queued
if (_timelock.isOperationPending(id)) {
revert ProposalAlreadyExecuted(proposalId, block.timestamp);
}
// Schedule in timelock
_timelock.scheduleBatch(
proposal.targets,
proposal.values,
proposal.calldatas,
@> bytes32(0),
salt,
_timelock.getMinDelay()
);
emit ProposalQueued(proposalId, block.timestamp, id);
}
An issue with the current implementation is that, the predecessor is hardcoded to zero, meaning there'll never be a predecessor as opposed to the implementation in the timelock where a predecessor is expected in order to execute it before the current proposal.
// Check predecessor if specified
if (predecessor != bytes32(0)) {
if (!isOperationDone(predecessor) && !isOperationPending(predecessor)) {
revert PredecessorNotExecuted(predecessor);
}
}
Impact
There'll never be a predecessor due to hardcoding the address to zero.
Tools Used
Manual review
Recommendations
Don't hardcode it to zero and allow a param to be provided when proposing.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.