Open code423n4 opened 2 years ago
As the TimeLock Controller is currently used nowhere in the project and its a known issue, I would propose to put down the severity of this issue.
I double checked deployment scripts and indeed, Timelock is not used anywhere in the setup and for that reason I think low risk is justified because the only risk is the devs forgetting to upgrade the contract in the future. Also, this is not part of core protocol.
Handle
leastwood
Vulnerability details
Impact
TimelockController.sol
acts as an auxiliary contract to the MISO platform's core contracts. Therefore, this issue is not of high risk as not all users wanting to auction tokens will use this contract for governance behaviour. TheTimelockController.sol
enables a governance framework to enforce a timelock on any proposals, giving users time to exit before a potentially dangerous maintenance operation is applied. However, theexecuteBatch()
is vulnerable to reentrancy, enabling privilege escalation for any account with theEXECUTOR
role toADMIN
.Proof of Concept
Bug outlined here. Fix is outlined in this commit.
Tools Used
Sourced from publicly disclosed post by Immnuefi.
Recommended Mitigation Steps
Update
Openzeppelin
library to a version containing the commit fixing the bug (mentioned above). Tagv3.4.2-solc-0.7
inOpenzeppelin
's Github repository is an example of a compatible library that contains the aforementioned bug fix.