Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TimelockController 'salt' is unrecoverable yet required for execution

See original GitHub issue

When scheduling a transaction using the TimelockController, one is required to provide a salt to distinguish otherwise identical transactions. The salt parameter is not emitted in the CallScheduled event which makes it impossible to recover. Yet salt is required for executing the scheduled transaction transaction, ~~even though it isn’t necessary and more gas efficient if id is used instead~~.

💻 Environment

Openzeppelin v4.5.0 / hardhat

📝 Details

salt is missing from the CallScheduled event: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/458697be32f41946e1ab66e946c7cf373c79577d/contracts/governance/TimelockController.sol#L35

salt is required for the execute & executeBatch calls: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/458697be32f41946e1ab66e946c7cf373c79577d/contracts/governance/TimelockController.sol#L267

Instead of salt the execute methods should be consuming the hashed operation (id) directly, since that id is readily available via event data. This would also save on gas since there is no need to re-run the hashing operation.

Happy to submit a PR

Issue Analytics

State:
Created 2 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

2reactions

frangiocommented, Mar 1, 2022

So we need to emit the salt in an event, but we can’t change the existing event because it changes the event selector, which is a little concerning because any monitoring infrastructure in place will not see the new event.

We can emit the salt in a new event ProposalSalt(uint256 indexed proposalId, bytes32 salt).

1reaction

Amxxcommented, Mar 1, 2022

@ashwinYardi Cancel doesn’t have other params. It just cancels the proposal that has a given ID.

We could have required the cancel call to send all the details, hash them, and cancel that, but it would have been more expensive, and not safer.

In short

execute: we are actually executing, so we need the execution details and we have to validate them;
cancel: we are just internally canceling, we don’t need the execution details.

Top Results From Across the Web

TimelockController Vulnerability Post-mortem - Announcements

The fix is simple: Add an additional isOperationReady check before the batch begins execution. Note, this check is still needed after the batch ......

What is this function do internally of Time Lock Controller of ...

It has to be scheduled by a proposer and executed by an executor here ... Salt: used to disambiguate two otherwise identical operations....

OpenZeppelin Bugfix Review. Summary | by Immunefi - Medium

OpenZeppelin's TimelockController contract is a standard smart ... call has been executed, and require(isOperationReady(id)); checks to see ...

Transfer Contract Ownership to a TimelockController Using ...

Brief walkthrough for transfering ownership to a Timelock using OpenZeppelin Defenderhttps://docs.openzeppelin.com/defender/admin#timelocks.