Missing Emergency Actions Delay
Summary
In the TimelockController.sol contract the scheduleEmergencyAction and executeEmergencyAction functions are missing the usage of EMERGENCY_DELAY, which can lead to improper timelock behavior for emergency actions.
Vulnerability Details
The vulnerability arises from the absence of the EMERGENCY_DELAY in the scheduleEmergencyAction and executeEmergencyAction functions. Emergency actions are intended to be executed with a shorter delay compared to regular actions. However, without enforcing the EMERGENCY_DELAY, these functions do not respect the intended timelock behavior, allowing emergency actions to be executed immediately without any delay.
Impact
By not enforcing the EMERGENCY_DELAY, emergency actions can be executed immediately, bypassing the intended timelock mechanism. This can lead to hasty and potentially harmful decisions being executed without sufficient time for review and consideration. It undermines the security and governance processes of the protocol, as emergency actions are meant to have a controlled and predictable delay.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, implement the EMERGENCY_DELAY in the scheduleEmergencyAction and executeEmergencyAction functions. This ensures that emergency actions respect the intended timelock behavior.
Lead Judging Commences
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.