Analysis of OZ TimelockController security vulnerability patch

Timelock vulnerability tweet from OZ
Commit with the patch

TimelockController logic

If you know how TimelockController contract works, you can skip this section.

  • schedule, which sets the timelock for a specific function call, and
  • execute, which executes the scheduled function call after the delay has passed.

Vulnerability analysis

The root cause of the vulnerability is that it does not follow the well-known Check-Effects-Interactions pattern.

Exploit

First, the attacker, who has the EXECUTOR role, must be able to schedule execution that will be accepted with no delay. Fortunately (for the attacker of course), there is a updateDelay function that allows to set the minimum delay to 0, thus allowing execution of a proposal in the same block.

  • updateDelay on timelock controller ceontract, setting delay to 0 and allowing to execute proposals in the same block they are submitted,
  • grantRole on timelock controller to grant ADMIN role to the contract deployed by the attacker (we will come back to this contract in a second),
  • attack on the contract deployed by the attacker, which has ADMIN role at this moment (explained below).

Conclusions

Smart contracts are quite tricky, especially when you are allows to call any function on any contract and do not follow Check-Effects-Interactions patter.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Damian Rusinek

Damian Rusinek

Security Consultant @ Securing, PhD, Blockchain Security, Cryptography Protocols || Twitter: @drdr_zz