Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

possible transaction replay

air

Summary

Per the contest scope the contract is intended to be deployed on a list of chains

All EVM Compatible, Curve ecosystem ready (cross curve via EYWA).
NFT should be standard compatible (Opensea,...), and later will be using Instruxi Mesh.
Openzepellin inherited.
Chainlink Functions
CurveVault when available (mainnet).
USDC or other ERC20 usable in Zeno, but also within the pools.
Auto-compounders (e.g: Llama Airforce)

Vulnerability Details

Multiple functions in the TimelockController contract is missing a chainId parameter

function scheduleBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt,
uint256 delay
) external override onlyRole(PROPOSER_ROLE) returns (bytes32)
......
function executeBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt
) external override payable nonReentrant onlyRole(EXECUTOR_ROLE)
.......
function executeEmergencyAction(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt
) external payable onlyRole(EMERGENCY_ROLE) nonReentrant
.............
function hashOperationBatch(
address[] calldata targets,
uint256[] calldata values,
bytes[] calldata calldatas,
bytes32 predecessor,
bytes32 salt
) public pure returns (bytes32)

Impact

Transactions can be replayed on any chain

Tools Used

Manual Review

Recommendations

Add a chainId parameter to the functions

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.