QA Report

[code423n4]

_minDelay can be 0, beating timelock motive

Contract: https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L93

Issue: In constructor, deployer can set _minDelay to 0 which means any proposed transaction can instantly be executed without any delay which beats the basic motive of timelock

Recommendation: Add a check to ensure correct value of _minDelay

require(_minDelay!=0, "Incorrect delay");

Missing selector check on operator

Contract: https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/scripts/OperatorScripts.sol#L28 https://github.com/code-423n4/2022-06-nested/blob/main/contracts/OperatorResolver.sol#L20

Issue: The addOperator function is not checking that selector of added operator is not bytes4(0) Same fix is required for requireAndGetOperator function at OperatorResolver.sol#L20

Recommendation: Add below check

require(operator.selector != bytes4(0), "AO-SCRIPT: INVALID_SELECTOR");

Unused imports

Contract: https://github.com/code-423n4/2022-06-nested/blob/main/contracts/operators/Yearn/YearnCurveVaultOperator.sol#L12

Issue: Contract is importing CurveHelpers but not using it

Recommendation: Do not import CurveHelpers.sol in YearnCurveVaultOperator

[obatirou]

_minDelay can be 0, beating timelock motive (disputed)

It is not required in the constructor, it can be updated if needed

[obatirou]

Missing selector check on operator (confirmed)

[obatirou]

Unused imports (duplicate)

Duplicate https://github.com/code-423n4/2022-06-nested-findings/issues/40#issuecomment-1167044373