AntFleet

Disagreement · 7cad6f1a-openai-0

Factory keeps Timelock admin powers due to wrong role being renounced

solo GPT-5
repo a7cc2ed7·PR #3·reviewed 1 week ago

GPT-5 finding

Factory keeps Timelock admin powers due to wrong role being renounced

criticalsecurityhigh
  • src/governance/GovernanceFactory.sol
  • src/governance/GovernanceFactory.sol
The TimelockController is created with admin set to the GovernanceFactory (msg.sender in TimelockFactory.create). The factory then renounces DEFAULT_ADMIN_ROLE (0x00), but TimelockController role admin for PROPOSER/EXECUTOR/CANCELLER is TIMELOCK_ADMIN_ROLE, not DEFAULT_ADMIN_ROLE. As a result, the factory retains TIMELOCK_ADMIN_ROLE and can grant/revoke roles or otherwise control the timelock, subverting governance security assumptions.

Recommendation

- Renounce TIMELOCK_ADMIN_ROLE instead: timelockController.renounceRole(timelockController.TIMELOCK_ADMIN_ROLE(), address(this)). - Preferably transfer TIMELOCK_ADMIN_ROLE to the timelock itself or to the governance contract before renouncing the factory’s admin, following OZ’s recommended pattern (self-admin or DAO-admin).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗