CVE-2021-39168

Name of the Vulnerable Software and Affected Versions OpenZeppelin versions prior to 4.3.1 OpenZeppelin versions prior to 3.4.2 OpenZeppelin versions prior to 3.4.2-solc-0.7

Description A vulnerability in TimelockController allowed an actor with the executor role to escalate privileges, gaining unrestricted access to assets held in the contract. This issue can be exploited by resetting the delay to 0, thus taking immediate control of the timelock. Instances with the executor role set to "open" are particularly at risk, as anyone can use the executor role, leaving the timelock vulnerable to being taken over by an attacker.

Recommendations For versions prior to 4.3.1, update to version 4.3.1 or later. For versions prior to 3.4.2, update to version 3.4.2 or later. For versions prior to 3.4.2-solc-0.7, update to version 3.4.2-solc-0.7 or later. As a temporary workaround, consider revoking the executor role from accounts not strictly under the team's control, ensuring there is at least one proposer and executor remaining.