Submission Details
Severity:
DoS due to not accepting native ETH transfer
Summary
The `_executeProposal()` function calls the timelock's `executeBatch()` in the `TimelockController.sol` function to forward ETH to target contracts as part of scheduled operations. However, the timelock contract itself lacks a `receive()` or `fallback()` function to accept ETH. This design will cause as it is expected to hold ETH for executing operations.
Vulnerability Details
Within `_executeProposal()`, the contract retrieves a proposal, computes a unique operation ID using a salt, and then calls the timelock's `executeBatch()` function. The `executeBatch()` function is declared as payable and forwards ETH to the target contracts using the specified values array:
```solidity
_timelock.executeBatch(proposal.targets, proposal.values, proposal.calldatas, bytes32(0), salt);
```
Each target is called with a specific ETH value, as shown in the loop within `executeBatch()`. However, the timelock contract itself does not implement a `receive()` or `fallback()` function. As a result:
Accidental ETH Transfers: If a user mistakenly sends ETH directly to the timelock contract (outside of a function call), the transaction will revert, since the contract cannot accept such transfers.
Funding Challenges: the design expects the timelock to hold ETH (e.g., via explicit deposits), the lack of a receive mechanism will lead to insufficient funds for executing scheduled operations, or any ETH sent to it might become inaccessible.
### Proof of Concept
Since the contract lacks a receive() function, the transaction immediately reverts, and the ETH is not deposited.
Alternatively, if the protocol intends for the timelock to be pre-funded for executing operations, the absence of a fallback mechanism will prevent the accumulation of necessary funds, causing later operations to fail.
Impact
Operational Failures: Scheduled operations will fail if the timelock cannot receive or hold the necessary ETH, potentially leading to reverts during the execution of proposals.
Tools Used
Manual review
Recommendations
Implement a `receive()` Function:
Add a simple receive function to allow the timelock contract to accept ETH:
```solidity
receive() external payable {}
```
Implement a `fallback()` Function (if necessary):
Optionally, add a fallback function to handle any unexpected calls with ETH:
```solidity
fallback() external payable {}
```
Clarify the Funding Mechanism:
Document the intended method for funding the timelock contract. If the contract is expected to be pre-funded through a specific function or mechanism, ensure that this is clearly defined and that any excess ETH is handled gracefully.
By implementing these changes, the timelock contract will be able to receive ETH, thereby reducing the risk of operational failures and preventing potential user errors or locked funds.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Governance.execute lacks payable modifier and ETH forwarding mechanism, preventing proposals with ETH transfers from being executed through TimelockController
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Governance.execute lacks payable modifier and ETH forwarding mechanism, preventing proposals with ETH transfers from being executed through TimelockController
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.