obatirou
commented
2 years ago receive function is unrestricted (disputed)
This is a Timelock, the funds are not locked We can set the value to zero to not send ether. And if we made a mistake, we can create a script to send the ether back.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L113
Vulnerability details
Impact
The receive function has not placed any restriction which means if any user accidentally sends any ETH to this contract then it is permanently freezed until timelock decides to release it by creating and approving a new transaction on timelock which increases the burden
Recommended Mitigation Steps
If eth is not expected then receive can be removed