Platform: Code4rena
Start Date: 08/06/2022
Pot Size: $115,000 USDC
Total HM: 26
Participants: 72
Period: 11 days
Judge: leastwood
Total Solo HM: 14
Id: 132
League: ETH
Rank: 32/72
Findings: 1
Award: $255.69
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: GimelSec
Also found by: Czar102, Lambda, csanuragjain, minhquanym, shenwilly
In the walkthrough video, it said that the upgrades of Diamond must go through a proposal window with a delay of 7 days. Upgrade should be done by first call proposeDiamondCut and then wait 7 days and call diamondCut.
But this timelock can be bypassed because the check if it passed 7 days is wrong. It just check acceptanceTimes < block.timestamp. If owner not call proposeDiamondCut then acceptanceTimes is default value which is 0 and the check will always pass.
This is very dangerous when admin can use all privileges without a delay, including withdraw all the funds.
Please refer to this issue to check the severity when timelock can be bypassed.
diamondCut() with any parameters without proposing it first.acceptanceTimes is 0 by default and the check will passed.Manual Review
Add check if acceptanceTimes > 0
#0 - LayneHaber
2022-06-24T16:31:41Z
Duplicate of #215