Incorrect Modifier Order in executeEmergencyAction Enables Potential Reentrancy
Description
In TimelockController::executeEmergencyAction, the nonReentrant modifier is placed after the onlyRole modifier. This ordering could allow a malicious actor with the EMERGENCY_ROLE to perform a reentrancy attack during the role check, before the reentrancy guard is activated.
The issue arises because:
onlyRolecheck executes firstDuring this check, the contract state is unprotected from reentrancy
The
nonReentrantguard only activates after role verification
Impact
-
Reentrancy Window: Creates a small window where reentrancy is possible during role checking
-
State Manipulation: An attacker with EMERGENCY_ROLE could potentially:
Re-enter the contract during role verification
Manipulate contract state before reentrancy guard activates
Execute emergency actions multiple times in a single transaction
-
Critical Severity: Given this is an emergency action function, any vulnerability could have severe consequences
-
Privileged Attack Vector: While this requires EMERGENCY_ROLE access, it still represents a significant risk
Recommendations
Correct Modifier Order
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.