quantizations
commented
2 years ago As part of the contest guidelines, it was to be assumed this was the deployment configuration: https://docs.rolla.finance/rolla/quant-protocol/deployments
The role is assigned in the code above but does not remain in the documented configuration as it is renounced in the deployment scripts
alcueca
Lines of code
https://github.com/code-423n4/2022-03-rolla/blob/efe4a3c1af8d77c5dfb5ba110c3507e67a061bdd/quant-protocol/contracts/timelock/TimelockController.sol#L78-L80
Vulnerability details
The purpose of a
ConfigTimelockControllercontract is to put a limit on the privileges of theadmin, by forcing a two step process by two different roles with a preset delay time.However, we found that the current implementation actually won't serve that purpose as it allows the
adminto execute transactions without any constraints under certain circumstances.If the initial admin (
deployer) is malicious or compromised, the attacker can callgrantRole()grantTIMELOCK_ADMIN_ROLEto an address controlled by the attacker, and the revoke theTIMELOCK_ADMIN_ROLEof the the initial admin (deployer) and all other roles held by other addresses.Then they can grant
PROPOSER_ROLEandEXECUTOR_ROLEto themselves and do pretty much anything afterwards.In conclusion, a Timelock contract is supposed to guard the protocol from lost private key or malicious actions. The current implementation makes it possible for the admin not to obey the desired constraints, and they can hijack the whole timelock.
https://github.com/code-423n4/2022-03-rolla/blob/efe4a3c1af8d77c5dfb5ba110c3507e67a061bdd/quant-protocol/contracts/timelock/TimelockController.sol#L78-L80
PoC
A malicious/compromised deployer can:
TIMELOCK_ADMIN_ROLEto an address controlled by the attacker;TIMELOCK_ADMIN_ROLErole of the current deployer's address;Recommendation
Consider removing
_setupRole(TIMELOCK_ADMIN_ROLE, _msgSender());at L79.