TIMELOCK_ROLE Has Absolute Power to Withdraw All FUND May Raise Red Flags for Investors

[code423n4]

Handle

Meta0xNull

Vulnerability details

Impact

TIMELOCK_ROLE Can Withdraw All FUND from the Contracts via emergencyWithdrawGAS(), emergencyWithdraw(), partialWithdrawGAS(), partialWithdraw().

While I believe developer have good intention to use these functions. It often associate with Rug Pull by developer in the eyes of investors because Rug Pull is not uncommon in Defi. Investors lose all their hard earn money.

Read More: $10.8M Stolen, Developers Implicated in Alleged Smart Contract 'Rug Pull' https://www.coindesk.com/tech/2020/12/02/108m-stolen-developers-implicated-in-alleged-smart-contract-rug-pull/

Read More: The Rise of Cryptocurrency Exit Scams and DeFi Rug Pulls https://www.cylynx.io/blog/the-rise-of-cryptocurrency-exit-scams-and-defi-rug-pulls/

Proof of Concept

https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/Permissions.sol#L80-L109

Tools Used

Manual Review

Recommended Mitigation Steps

1. Pause the Contract and Disable All Functions when Bad Thing Happen rather than Withdraw All Fund to a random address.
2. If Withdraw Fund can't avoid, a Multi Sig ETH Address should be hardcoded into the contract to ensure the fund move to a safe wallet.

[0xScotch]

263

[GalloDaSballo]

This is not a duplicate of #263, where 263 talks about sidestepping the delay of the timelock, this finding talks about the high degree of power that the TIMELOCK_ROLE has.

This is a typical "admin privilege" finding, it's very important to disclose admin privileges to users so that they can make informed decisions

In this case the TIMELOCK_ROLE can effectively rug the protocol, however this is contingent on the account that has the role to pull the rug.

Because of it's reliance on external factors, am downgrading the finding to medium severity