search

code-423n4 / 2022-06-nested-findings

0 stars 1 forks source link

DOS on operation execution #38

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L255

Vulnerability details

Impact

A malicious proposer can keep on cancelling all pending operations so that none of the transactions get executed. Admin also has no way to remove the malicious proposer

Proof of Concept

  1. Proposer A calls schedule function to schedule an operation

  2. Malicious Proposer B calls cancel function and cancels the Proposer A operation

  3. Malicious Proposer B does the same for any other scheduled operation

  4. Admin cannot do anything about this situation as contract has no way to removing a proposer.

Recommended Mitigation Steps

Add a function which will allow Admin to remove a proposer

obatirou commented 2 years ago

DOS on operation execution (disputed)

TIMELOCK_ADMIN_ROLE is the admin of all other roles (including PROPOSER_ROLE), so he can revoke PROPOSER_ROLE role

jack-the-pug commented 2 years ago

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L72

_setRoleAdmin(PROPOSER_ROLE, TIMELOCK_ADMIN_ROLE);

The admin (TIMELOCK_ADMIN_ROLE) can revoke PROPOSER_ROLE role.