The purpose of a Timelock contract is to restrict the abilities of the governor . However, the current implementation does not serve this purpose as it allows the governor to perform any actions without any limitations. The current governor can call and set a new malicious governor who can change the timelock to 0. Timelock contract is intended to protect the protocol from lost private keys or malicious actions. The current implementation fails to fulfill this mission.
Qeew
unlabeled
Timelock delay can be changed
Summary
Vulnerability Detail
Timelock delay can be changed
Impact
The purpose of a Timelock contract is to restrict the abilities of the governor . However, the current implementation does not serve this purpose as it allows the governor to perform any actions without any limitations. The current governor can call and set a new malicious governor who can change the timelock to 0. Timelock contract is intended to protect the protocol from lost private keys or malicious actions. The current implementation fails to fulfill this mission.
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/governance/UXDTimelockController.sol
Tool used
Manual Review
Recommendation
Consider making crucial roles only callable from the Timelock contract itself.