recoveryTimelock on the GovernanceRouter is configured to "1" on all chains
this means when recovery is initiated, it becomes active after 1 second
When did we notice?
I discovered the mis-configuration while prepping transaction to transfer governor to Celo
How can we fix this?
recoveryTimelock is an immutable variable (stored in the code of the GovernanceRouter, rather than storage) - so, to fix, this, we need to upgrade the GovernanceRouter to a new implementation
to lock down the system while we triage, we should initiate recovery and transfer the recoveryManager role to a more secure multisig (currently configured as an EOA)
How did this happen?
mis-configuration probably due to problem in dev tooling
we need to root-cause to prevent repro in the future
What is wrong?
recoveryTimelockon theGovernanceRouteris configured to "1" on all chainsWhen did we notice?
How can we fix this?
recoveryTimelockis an immutable variable (stored in the code of the GovernanceRouter, rather than storage) - so, to fix, this, we need to upgrade the GovernanceRouter to a new implementationrecoveryManagerrole to a more secure multisig (currently configured as an EOA)How did this happen?