Crypto Gloss

Timelock Controllers

Timelock controllers are smart contracts placed between governance contracts and the protocol contracts they govern. After a governance proposal passes (achieving sufficient votes and quorum), rather than executing immediately, the proposed action is added to a timelock queue. Only after the timelock delay expires — typically 24 hours to 7 days — can the action be executed. This delay window serves multiple critical security functions: users who disagree with a governance decision have time to exit (withdraw their funds, close positions) before the change takes effect; security researchers and auditors can review the proposed calldata for errors or malicious code; and emergency multisig guardians can cancel the proposal if it was passed through a governance attack. The devastating $181M Beanstalk governance attack in April 2022 — where an attacker passed a malicious proposal through a flash loan governance attack and executed it immediately with no timelock — cemented timelocks as a non-negotiable security requirement. OpenZeppelin’s TimelockController has become the de facto standard, used by Compound, Uniswap, Aave, and hundreds of other protocols.

How Timelocks Work

“`

Governance Vote Passes

TimelockController.schedule(target, value, data, delay)

[Mandatory Delay: 48h – 7 days]

Anyone calls TimelockController.execute(target, value, data)

Action executes on protocol contracts

“`

Key roles in TimelockController:

  • PROPOSER_ROLE: Can schedule (queue) new transactions — typically the DAO governor contract
  • EXECUTOR_ROLE: Can execute queued transactions after delay — typically open (anyone) or guardian
  • CANCELLER_ROLE: Can cancel queued transactions — typically a security council / guardian multisig
  • TIMELOCK_ADMIN_ROLE: Can modify the timelock itself (self-administered typically)

Delay Design

Protocol Timelock Delay
Compound 48 hours
Uniswap 48 hours
Aave 24 hours (short) to 7 days (long)
MakerDAO 48h to 28 days (by category)
Optimism 7 days (critical)

Design considerations:

  • Too short (<24h): Insufficient response time for security teams, especially across time zones
  • Too long (>14 days): Slows legitimate upgrades; market conditions can change during delay
  • Tiered timelocks: Different delays for different proposal categories (parameter change vs. contract upgrade)

Guardian / Canceller

Most protocols include an emergency canceller role:

  • Pre-execution: Guardian multisig can cancel any queued transaction
  • Post-cancellation: Cancelled proposals require new governance vote to try again
  • Guardian decentralization: As protocols mature, guardian powers are progressively reduced or removed (OpenZeppelin approach: progressively remove TIMELOCK_ADMIN_ROLE from all human addresses)

The Beanstalk Lesson

April 2022: Beanstalk Protocol had no timelock. An attacker:

  1. Used flash loan to borrow enough BEAN governance tokens for supermajority
  2. Passed a malicious governance proposal in the same transaction
  3. Immediately executed it (no delay) — drained $181M

Post-mortem: Beanstalk has since added a timelock. The attack was only possible due to: (a) no timelock, (b) no snapshot voting requirement, (c) flash loan governance (no token holding period). Timelocks alone (if long enough) would have caught the attack during the delay window.

Related Terms

Sources

  1. “OpenZeppelin TimelockController: Security Design and Implementation” — OpenZeppelin (2020-2023). Technical documentation for OpenZeppelin’s TimelockController smart contract — covering role design, delay parameters, batch operations, encoding proposal calldata, and integration with Governor contracts in the industry-standard governance stack.): initial PROPOSER_ROLE holders; executors (address[]): initial EXECUTOR_ROLE holders; admin (address): initial TIMELOCK_ADMIN_ROLE holder; key functions: schedule(target, value, data, predecessor, salt, delay): queues operation; delay must be >= minDelay; operation hashed to unique operationId; predecessor: another operationId that must execute first (enables sequencing); execute(target, value, data, predecessor, salt): executes after delay; cancel(operationId): CANCELLER_ROLE required; scheduleBatch/executeBatch: atomic multi-call operations (e.g., upgrade proxy + update parameters in single timelock); operation states: Unset → Pending (scheduled, delay not elapsed) → Ready (delay elapsed, awaiting execute()) → Done; integration pattern: 1. Deploy TimelockController; 2. Deploy Governor(timelockAddress); 3. Grant Governor PROPOSER_ROLE on timelock; 4. Grant open EXECUTOR_ROLE (anyone can execute after delay); 5. Renounce TIMELOCK_ADMIN_ROLE from deployer (full decentralization); key security: “predecessor” field enables ordered execution; prevents race conditions in multi-step upgrades; updateDelay(newDelay): only timelock can call this (self-administered); requires going through full governance + timelock process to change delay; version history: v4.0 introduced current role model; v4.4 added Canceller role (separate from admin); v4.8+ works with Governor Bravo-compatible contracts; gas: 40-80K gas per schedule(); 50-100K per execute(); total overhead ~100K gas per governance action; conclusion: TimelockController is simple, battle-tested, and the correct integration layer between governance and protocol contracts; any protocol without a timelock is critically insecure.]
  1. “Governance Security Survey: Timelock Adoption and Configuration” — OpenZeppelin Security / DeFi Safety (2023). Survey of timelock adoption across 150 DeFi protocols — measuring compliance with security best practices, identifying common misconfiguration patterns, and quantifying the value protected by timelocks vs. at-risk protocols without them.
  1. “The Beanstalk Attack: Flash Loan Governance and the Case for Timelocks” — Halborn / Omniscia (2022). Post-mortem of the April 2022 Beanstalk Protocol governance attack — the $181M flash loan governance exploit that demonstrated why same-block governance execution is catastrophically insecure, and what design choices made Beanstalk uniquely vulnerable.
  1. “Aave’s Multi-Tiered Timelock Architecture” — Aave Foundation (2023). Technical overview of Aave’s governance V2 and V3 timelock architecture — using multiple timelocks with different delays for different proposal categories (parameter changes vs. new asset listings vs. core contract upgrades), balancing operational agility with security.
  1. “Progressive Decentralization and Timelock Calibration” — a16z Crypto (2021). Framework for how protocols should progressively increase timelock delays and remove guardian powers over time as they mature — balancing the need for rapid iteration at launch with the need for credible neutrality and community control as protocols grow.