Submission Details
Severity:
TimelockController's executeEmergencyAction() bypasses EMERGENCY_DELAY
Description
TimelocController contract has an EMERGENCY_DELAY constant:
File: contracts/core/governance/proposals/TimelockController.sol
41: /// @notice Delay for emergency actions (1 day)
42: uint256 public constant EMERGENCY_DELAY = 1 days;
There's a delay of 1 day required between scheduleEmergencyAction() and executeEmergencyAction().
The logic in executeEmergencyAction() however never verifies it and the user with EMERGENCY_ROLE can schedule & execute within one block.
Impact
EMERGENCY_ROLE can act maliciously; breaks the trust assumption that the ecosystem will get 1 day's time to dispute/act after seeing that an emergency action has been scheduled. Users can be caught off-guard.
Mitigation
Implement the delay of EMERGENCY_DELAY inside executeEmergencyAction().
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
TimelockController emergency actions bypass timelock by not enforcing EMERGENCY_DELAY, allowing immediate execution
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.