An operation in `scheduleBatch` can be scheduled even if the predecessor has not been executed
Summary
The TimelockController::scheduleBatch contains a logical flaw in the predecessor check condition allowing operation to be scheduled even if the predecessor has not been executed. This can lead to incorrect execution order.
Vulnerability Details
The issue lies in scheduleBatch():
This conditional check !isOperationDone(predecessor) && !isOperationPending(predecessor) will always evaluate to false because:
If the predecessor operation does not exist, both
isOperationDone(predecessor)andisOperationPending(predecessor)will returnfalse, making the conditiontrue && true, which istrue.If the predecessor operation exists, either
isOperationDone(predecessor)orisOperationPending(predecessor)will returntrue, making the conditionfalse.
Impact
Operations may be executed out of order.
Tools Used
Manual review
Recommendations
-
Remove this additional check since operations can be scheduled regardless of previous operation's execution status
-
Update the condition to correctly check if the predecessor operation has not been executed as:
if (predecessor != bytes32(0)) {if (!isOperationDone(predecessor)) {revert PredecessorNotExecuted(predecessor);}}
Lead Judging Commences
TimelockController::scheduleBatch checks if predecessor is pending OR executed rather than requiring execution as per comment, allowing scheduling before predecessor executes
TimelockController::scheduleBatch checks if predecessor is pending OR executed rather than requiring execution as per comment, allowing scheduling before predecessor executes
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.