The _call function in the TimelockControllerEmergency contract will send ether to the OwnerProxy contract, and the OwnerProxy contract will delegatecall the script contract. The two existing script contracts will neither use ether nor withdraw ether, which will cause the sent ether to be locked in the OwnerProxy contract.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/governance/TimelockControllerEmergency.sol#L351-L362
Vulnerability details
Impact
The _call function in the TimelockControllerEmergency contract will send ether to the OwnerProxy contract, and the OwnerProxy contract will delegatecall the script contract. The two existing script contracts will neither use ether nor withdraw ether, which will cause the sent ether to be locked in the OwnerProxy contract.
Proof of Concept
https://github.com/code-423n4/2022-06-nested/blob/b4a153c943d54755711a2f7b80cbbf3a5bb49d76/contracts/governance/TimelockControllerEmergency.sol#L351-L362
Tools Used
None
Recommended Mitigation Steps
Consider adding the function of withdrawing ether to the OwnerProxy contract, or adding a script contract for withdrawing ether