Missing validation for the _l1TimelockMinDelay parameter in the constructor to ensure it's within a reasonable or expected range.

[code423n4]

Lines of code

https://github.com/ArbitrumFoundation/governance/blob/c18de53820c505fc459f766c1b224810eaeaabc5/src/UpgradeExecRouteBuilder.sol#L88

Vulnerability details

Impact

The constructor accepts a parameter _l1TimelockMinDelay and assigns it to l1TimelockMinDelay without performing any validation checks. This means potentially erroneous or extreme values can be set, which could cause undesired behaviors in the system or open potential vulnerabilities.

Proof of Concept

By not validating _l1TimelockMinDelay, users or contract deployers might accidentally set a value that's either too short (making the timelock ineffective) or too long (potentially locking actions for an unreasonable amount of time). This can undermine the security and usability of the system.

Tools Used

Manual

Recommended Mitigation Steps

Add validation checks to ensure _l1TimelockMinDelay is within a reasonable range. The exact range will depend on the intended use case of the contract.

Assessed type

Invalid Validation

[0xSorryNotSorry]

Could be QA.

[c4-pre-sort]

0xSorryNotSorry marked the issue as low quality report

[c4-judge]

0xean marked the issue as unsatisfactory: Overinflated severity