0xleastwood
commented
2 years ago I don't this is a serious issue. Data will be vetted while it is actively going through the timelock and being voted on.
Closed code423n4 closed 2 years ago
0xleastwood
commented
2 years ago I don't this is a serious issue. Data will be vetted while it is actively going through the timelock and being voted on.
0xleastwood
commented
2 years ago The admin could just create a new proposal with the correct data.
Handle
Tomio
Vulnerability details
Impact
The fallback() in this contract will return a false positive transaction when this contract is executing a transaction from executeTransaction() to this contract address, but this contract didn't have the correct call data, instead of reverting the transaction on low level, instead, it will return true on success https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/gov/Timelock.sol#L137, this can happen because the fallback() will catch the wrong call data.
Proof of Concept
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/gov/Timelock.sol#L41
Tools Used
Recommended Mitigation Steps
Delete fallback()