DESCRIPTION OF EVENTS
"The standard for secure blockchain applications. OpenZeppelin provides security products to build, automate, and operate decentralized applications. We also protect leading organizations by performing security audits on their systems and products."
"The TimelockController is used as the owner of controlled contracts (e.g. some configuration contract of DeFi protocol). Whenever a call is to be made on controlled contract (e.g. to update some configuration parameters) it is scheduled via TimelockController contract and delayed in time. It allows any users to react to change and either accept it or withdraw their assets if they do not agree with the change."
"Whitehat Zb3 submitted a critical reentrancy vulnerability in OpenZeppelin’s TimelockController contract on August 21, 2021." "This is the only critical vulnerability that OpenZeppelin has ever had in its open source smart contract library to the best of its knowledge."
"[T]he vulnerability “allows an actor with the executor role to escalate privileges”." "The root cause of the vulnerability is that it does not follow the well-known Check-Effects-Interactions pattern."
"Proposal execution firstly executes function calls (Interactions) and then checks whether these function calls should be executed, in _afterCall function (Checks). If you are able to bypass the check using function calls you can call any function on behalf of the timelock controller contract."
"First, the attacker, who has the EXECUTOR role, must be able to schedule execution that will be accepted with no delay. Fortunately (for the attacker of course), there is a updateDelay function that allows to set the minimum delay to 0, thus allowing execution of a proposal in the same block."
"Second, the TimelockController inherits from AccessControll and has the grantRole function which is quite powerful, because it allows to manage the contract. Also, the TimelockController is an admin of itself so the attacker is able to manage the controller."
"Third, in order to bypass the isOperationReady check, the attacker must schedule a batch function calls that corresponds to the exploit. To avoid recursion, the attacker can use another contract and call TimelockConroller indirectly."
"OpenZeppelin has graciously paid the whitehat a bounty of $25,000 for their contribution to community security and issued a patch." "When you look at the source code of the commit, you will see only one change: isOperationReady check added in _beforeCall function."
"OpenZeppelin has released an updated contract version which fixes the vulnerability." "Contracts v4.3.1 is out, fixing a security vulnerability in the TimelockController smart contract. All projects using TimelockController should migrate. The latest version is available on Github."
"Immunefi and OpenZeppelin proceeded to responsibly disclose the vulnerability to as many of the affected projects as possible, identifying and contacting 20 high risk projects out of a total of 316 instances of the TimelockController across numerous chains."
"[W]e found no cases of malicious exploitation of the vulnerability and no critical instances of the vulnerability containing funds at risk."
It was uncovered that OpenZeppelin, a well-known smart contract audit provider, had a critical vulnerability in their smart contract, which would have allowed privilege escallation. This was found through a bug bounty program, and not exploited, so no funds were lost. A significant number of projects all had the same vulnerability, as it was commonly used code.
HOW COULD THIS HAVE BEEN PREVENTED?
This demonstrates the effectiveness of bug bounty programs at incentivizing source code review by skilled white hackers, and also reinforces that smart contract hot wallets cannot be guaranteed to be safe, even if audited and in wide use.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
@openzeppelin Twitter (Sep 19)
Openzeppelin Bug Fix Postmortem (Sep 19)
TimelockController Vulnerability Post-mortem - Announcements - OpenZeppelin Community (Sep 19)
https://drdr-zz.medium.com/analysis-of-oz-timelockcontroller-security-vulnerability-patch-23da47a3c158 (Sep 19)
OpenZeppelin (Oct 14)
Release v4.3.1 · OpenZeppelin/openzeppelin-contracts · GitHub (Oct 20)
Add additional isOperationReady check in TimelockController · OpenZeppelin/openzeppelin-contracts@cec4f2e · GitHub (Oct 20)