operations can be executed again when emergency action is called in TimelockController.sol
Summary
The executeEmergencyAction() in TimelockController.sol executes the actions in operation[id] but it does not delete the _operations[id] mapping.
When an operation is in the execution stage and emergencyAction() is called, the action can be executed again.
Vulnerability Details
An operation can be scheduled in TimelockController.sol directly through scheduleBatch() or through a successful proposal in Governance.sol.
For proposals in Governance.sol, this is the rough timeline:
If anywhere after the first execute() and emergencyAction() is called, this proposal will still continue to go through the stages and can be called again unless the CANCELLER_ROLE cancels the operation.
Impact
Actions can be called again.
Tools Used
Manual Review
Recommendations
Delete _operations[id] in the emergencyAction() function.
Or set the _operations[id].executed to true so it cannot be executed again
Lead Judging Commences
TimelockController.executeEmergencyAction doesn't mark operations as executed, allowing the same operation to be executed again through the regular path
TimelockController.executeEmergencyAction doesn't mark operations as executed, allowing the same operation to be executed again through the regular path
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.