search
Active Boosts

31497 - [SC - Low] executeBatch lacks payable so ethers can not be...

Submitted on May 20th 2024 at 16:11:09 UTC by @OxRizwan for Boost | Alchemixarrow-up-right

Report ID: #31497

Report type: Smart Contract

Report severity: Low

Target: https://immunefi.com

Impacts:

  • Smart contract unable to operate due to lack of token funds

  • Logic errors

hashtag
Description

hashtag
Brief/Intro

executeBatch() lacks payable so ethers can not be a part of bath execution

hashtag
Vulnerability Details

In TimelockExecutor.sol contract, executeBatch() is used to execute the ready operations containing the batch transactions.

    function executeBatch(
        address[] calldata targets,
        uint256[] calldata values,     @audit // ether value sent along with call
        bytes[] calldata payloads,
        bytes32 predecessor,
        bytes32 descriptionHash,
        uint256 chainId
    ) public virtual onlyRole(EXECUTOR_ROLE) {
        require(targets.length == values.length, "TimelockExecutor: length mismatch");
        require(targets.length == payloads.length, "TimelockExecutor: length mismatch");

        bytes32 id = hashOperationBatch(targets, values, payloads, predecessor, descriptionHash, chainId);

        _beforeCall(id, predecessor);
        for (uint256 i = 0; i < targets.length; ++i) {
            _execute(id, i, targets[i], values[i], payloads[i]);
        }
        _afterCall(id);
    }

This function takes values as a param and part of batch execution. The values are the ethers which are sent along with call. executeBatch() calls internal function execute() for the transactions execution which is implemented as below:

It can be seen at (@), the ether value is indeed a part of executeBatch() function as the value is not hardcoded to 0.

Now, the issue is that, executeBatch() will revert when msg.value > 0. The current implementation of the executeBatch() function within the smart contract lacks the payable keyword. This omission leads to a critical issue where any transaction that attempts to send ether (ETH) to this function will fail. Since the function is designed to allow the executor to execute arbitrary calls and potentially send ETH, the inability to accept ETH due to the missing payable specifier means that:

  1. The contract does not behave as intended when interacting with functions or operations requiring ETH transfers.

  2. Any attempt to send ETH to this function will revert and result in a failure of the intended operation.

  3. ETH sent to this non-payable function will be stuck and effectively lost, leading to financial losses for the users.

hashtag
Impact Details

executeBatch() will fail when value is greater than 0 so executeBatch() can not be succesfully executed due to this issue

hashtag
References

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/governance/TimelockExecutor.sol#L275-L293

https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/governance/TimelockExecutor.sol#L316

hashtag
Recommendation to fix

Add payable to executeBatch() function.

Consider below changes:

hashtag
Proof of Concept

The issue can be easily understood with above description and recommendation to fix.

Additionally, the affected contract i.e TimelockExecutor.sol is actually referred from openzeppelin's TimelockController.sol where this issue is not present. If you see the executeBatch() of openzeppelin's TimelockController.sol then this function has payable keyword so ethers can be part of batch execution. This can be checked as below:

Reference link: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/d947fb056d6a7eb099013076ac5ea5a69e9fec06/contracts/governance/TimelockController.sol#L391

Previous31495 - [SC - Critical] Users cannot claim rewards from RevenueHandler ...Next31498 - [SC - High] Alchemix ALCX rewards are currently subject to...

Last updated

Was this helpful?