CVE-2021-39167

Name of the Vulnerable Software and Affected Versions OpenZeppelin versions prior to 4.3.1 OpenZeppelin versions prior to 3.4.2 OpenZeppelin versions prior to 3.4.2-solc-0.7

Description A vulnerability in TimelockController allowed an actor with the executor role to escalate privileges, gaining unrestricted access to assets held in the contract. This issue can be exploited by resetting the delay to 0, thus taking immediate control of the timelock. Instances with the executor role set to "open" are particularly at risk, as they allow anyone to use the executor role.

Recommendations For versions prior to 4.3.1, update to version 4.3.1 or later. For versions prior to 3.4.2, update to version 3.4.2 or later. For versions prior to 3.4.2-solc-0.7, update to version 3.4.2-solc-0.7 or later. As a temporary workaround, consider revoking the executor role from accounts not strictly under the team's control. Ensure there is at least one proposer and executor remaining after applying this mitigation.