In TimelockController.sol the function executeBatch, could revert if the array of orders is too big.
Vulnerability Detail
To call executeBatch() first governance needs to scheduleBatch(). The issue is that scheduleBatch() could schedule much more operations, because it only emits an event in the for loop
for (uint256 i = 0; i < targets.length; ++i) {
emit CallScheduled(id, i, targets[i], values[i], payloads[i], predecessor, delay);
}
Unlike executeBatch(), where it iterates and calls _execute() which is much more gas heavy
for (uint256 i = 0; i < targets.length; ++i) {
address target = targets[i];
uint256 value = values[i];
bytes calldata payload = payloads[i];
_execute(target, value, payload);
emit CallExecuted(id, i, target, value, payload);
}
Impact
Some orders won't be executable and governance needs to schedule them again!
Code Snippet
for (uint256 i = 0; i < targets.length; ++i) {//@audit could fail on multiple gas heavy orders
address target = targets[i];
uint256 value = values[i];
bytes calldata payload = payloads[i];
_execute(target, value, payload);
emit CallExecuted(id, i, target, value, payload);
}
PokemonAuditSimulator
medium
executeBatch()could fail due to unbounded arraySummary
In
TimelockController.solthe functionexecuteBatch, could revert if the array of orders is too big.Vulnerability Detail
To call
executeBatch()first governance needs toscheduleBatch(). The issue is thatscheduleBatch()could schedule much more operations, because it only emits an event in the for loopUnlike
executeBatch(), where it iterates and calls_execute()which is much more gas heavyImpact
Some orders won't be executable and governance needs to schedule them again!
Code Snippet
Tool used
Manual Review
Recommendation
Check for length on the batch orders.