Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing zero address check could lead to an executeEmergency() callable by anyone #17

Closed
code423n4 opened this issue Jun 16, 2022 · 1 comment
Closed

Missing zero address check could lead to an executeEmergency() callable by anyone #17

code423n4 opened this issue Jun 16, 2022 · 1 comment
Assignees
@maximebrugel
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-06-nested/blob/main/contracts/governance/TimelockControllerEmergency.sol#L295

Vulnerability details

Impact

The executeEmergency() is only callable by the EMERGENCY_ROLE role. However if at constract construction, emergency address was is zero, then EMERGENCY_ROLE role would be enabled for everyone leading to anyone executing a transaction without scheduling

Proof of Concept

  1. Assume the contract owner deployed the contract with the inputing emergency argument in TimelockControllerEmergency.constructor() as address(0) hoping to change it anytime.
  2. With the logic of @openzeppelin/contracts/access/AccessControl.sol , this would enable the EMERGENCY_ROLE role open to everyone.
  3. Bob who has no assigned role, calls executeEmergency() without restriction and can execute a transaction without any delay.

Tools Used

Manual review

Recommended Mitigation Steps

Add a require check for zero address in the constructor function.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jun 16, 2022
code423n4 added a commit that referenced this issue Jun 16, 2022
@code423n4
cryptphi issue #17
e1a8df1
@maximebrugel maximebrugel self-assigned this Jun 17, 2022
@Yashiru
Copy link
Collaborator

Yashiru commented Jun 24, 2022

Missing zero address check could lead to an executeEmergency() callable by anyone (Duplicated)

Duplicated of #61 at 2. Missing address(0) checks

@Yashiru Yashiru mentioned this issue Jun 24, 2022
Open
@Yashiru Yashiru added the duplicate This issue or pull request already exists label Jun 24, 2022
@jack-the-pug jack-the-pug added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximebrugel maximebrugel

Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maximebrugel @Yashiru @code423n4 @jack-the-pug