Exploit walkthrough for #12:

1. deploy the malicious vault Contract (for the upgrade)

2. • get the keccak256 of the Unit8Array of “PROPOSER_ROLE”

3. create interface for 4 low level calls (to):

4. set attack contract as a proposer for time lock (time lock)

5. update the delay to 0 (time lock)

6. upgrade the contract to new implementation (original Vault)

7. exploit function (in the attack contract (attack contract)

   1. calling the schedule function (with a, b, c, d’s data)
   2. set theSweeper to the attack contract
   3. call sweepFund to drain the fund to this contract

The real hack:

call the execute function(with a, b, c, d as args) (time lock)

• finish a, b, c.
• then d schedule back a, b, c and itself (i)
• finish (ii) (iii)

1. call the withdraw function.

• OZ Access Control Contract:

Exploit Logic: