Mismatch between `TimelockController` documentation and code
Summary
The TimelockController documentation specifies that every emergency action that needs to be executed needs to have an EMERGENCY_DELAY so that all users can take proper measures. However, the contract does not enforce such a delay, and all scheduled emergency actions can be executed immediately.
Vulnerability Details
As per the documentation:
Emergency actions have 1-day delay
This delay is evident from the code as well:
However, executeEmergencyAction does not enforce it, and actions can be executed immediately.
Impact
Users can't react to emergency actions, due to missing delay, which may force them to participate in the protocol under unfavorable conditions.
Tools Used
Manual review
Recommendations
Enforce a 1-day delay to all emergency actions.
Lead Judging Commences
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.