Closed code423n4 closed 2 years ago
TIMELOCK_ADMIN_ROLE
is the admin of all other roles (including PROPOSER_ROLE
), so he can revoke PROPOSER_ROLE
role
_setRoleAdmin(PROPOSER_ROLE, TIMELOCK_ADMIN_ROLE);
The admin (TIMELOCK_ADMIN_ROLE
) can revoke PROPOSER_ROLE role.
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L255
Vulnerability details
Impact
A malicious proposer can keep on cancelling all pending operations so that none of the transactions get executed. Admin also has no way to remove the malicious proposer
Proof of Concept
Proposer A calls schedule function to schedule an operation
Malicious Proposer B calls cancel function and cancels the Proposer A operation
Malicious Proposer B does the same for any other scheduled operation
Admin cannot do anything about this situation as contract has no way to removing a proposer.
Recommended Mitigation Steps
Add a function which will allow Admin to remove a proposer