Vulnerability found in the Timelock feature

A vulnerability in the Timelock cryptographic primitive was recently discovered. Having examined a recent snapshot at level #2,548,706, we can confirm it does not affect any contract deployed on Tezos Mainnet.

We will publish in due time more details about this incident, how it will be fixed, and how it will be prevented from happening in the future. In the meantime, we strongly advise against the use of Timelock in Tezos smart contracts until the issue is fixed and tested.

Note that the recently injected Kathmandu protocol proposal, currently going through the Tezos governance process, does not address this issue.