Clearwood
commented
2 years ago As the TimeLock Controller is currently used nowhere in the project and its a known issue, I would propose to put down the severity of this issue.
Open code423n4 opened 2 years ago
Clearwood
commented
2 years ago As the TimeLock Controller is currently used nowhere in the project and its a known issue, I would propose to put down the severity of this issue.
ghoul-sol
commented
2 years ago I double checked deployment scripts and indeed, Timelock is not used anywhere in the setup and for that reason I think low risk is justified because the only risk is the devs forgetting to upgrade the contract in the future. Also, this is not part of core protocol.
Clearwood
commented
2 years ago
Handle
leastwood
Vulnerability details
Impact
TimelockController.solacts as an auxiliary contract to the MISO platform's core contracts. Therefore, this issue is not of high risk as not all users wanting to auction tokens will use this contract for governance behaviour. TheTimelockController.solenables a governance framework to enforce a timelock on any proposals, giving users time to exit before a potentially dangerous maintenance operation is applied. However, theexecuteBatch()is vulnerable to reentrancy, enabling privilege escalation for any account with theEXECUTORrole toADMIN.Proof of Concept
Bug outlined here. Fix is outlined in this commit.
Tools Used
Sourced from publicly disclosed post by Immnuefi.
Recommended Mitigation Steps
Update
Openzeppelinlibrary to a version containing the commit fixing the bug (mentioned above). Tagv3.4.2-solc-0.7inOpenzeppelin's Github repository is an example of a compatible library that contains the aforementioned bug fix.