m-03-audit: ensure to send only msg.value and not balance

Author: thelostone-mc

src/TimelockMultiAdminShim.sol

@@ -162,7 +162,7 @@ contract TimelockMultiAdminShim is ITimelockMultiAdminShim, ReentrancyGuard {
     uint256 _eta
   ) public payable nonReentrant returns (bytes memory) {
     _revertIfNotAdminOrExecutor();
-    return TIMELOCK.executeTransaction{value: address(this).balance}(_target, _value, _signature, _data, _eta);
+    return TIMELOCK.executeTransaction{value: msg.value}(_target, _value, _signature, _data, _eta);
   }
 
   /// @inheritdoc ITimelockMultiAdminShim

test/CompoundGovernanceUpgradeImpact.integration.t.sol

@@ -247,7 +247,6 @@ contract CompoundGovernanceUpgradeImpactIntegrationTest is Test, RollbackManager
   function _testProposalRequiringEthAndEthIsSentWithExecuteCall(uint256 _requiredEthAmount, address _executor) internal {
     // 0. Record initial balance for later comparison
     uint256 initialBalance = address(fakeProtocolContract).balance;
-    uint256 initialTimelockBalance = COMPOUND_TIMELOCK.balance;
 
     // 1. Create a proposal that requires ETH to be sent
     address[] memory targets = new address[](1);
@@ -274,7 +273,6 @@ contract CompoundGovernanceUpgradeImpactIntegrationTest is Test, RollbackManager
 
     govHelper.executeQueuedProposal{value: _requiredEthAmount}(ethProposal);
     assertEq(address(fakeProtocolContract).balance, initialBalance + _requiredEthAmount);
-    assertEq(COMPOUND_TIMELOCK.balance, initialTimelockBalance);
   }
 
   /// @notice Test that a proposal requiring ETH works with various ETH amounts

test/TimelockMultiAdminShim.unit.t.sol

@@ -509,7 +509,7 @@ contract ExecuteTransaction is TimelockMultiAdminShimTest {
     assertEq(timelockTxnCall.eta, _eta);
   }
 
-  function testFuzz_FlushesAccidentallySentETH(
+  function testFuzz_OnlyForwardsIntendedETH_DoesNotFlushAccidentalETH(
     address _target,
     uint256 _value,
     string memory _signature,
@@ -527,15 +527,15 @@ contract ExecuteTransaction is TimelockMultiAdminShimTest {
     vm.deal(admin, _value);
     vm.prank(admin);
 
-    // Execute transaction - should flush ALL ETH (both the intended value and accidental ETH)
+    // Execute transaction - should only forward the intended msg.value, not accidental ETH
     timelockMultiAdminShim.executeTransaction{value: _value}(_target, _value, _signature, _data, _eta);
 
-    // Verify that ALL ETH was flushed (both the intended value and the accidental ETH)
-    assertEq(address(timelockMultiAdminShim).balance, 0);
+    // Verify that accidental ETH remains in the contract (safer behavior)
+    assertEq(address(timelockMultiAdminShim).balance, _accidentalETH);
 
     // Verify that the timelock received the original intended value as the parameter
-    // (the timelock actually receives all ETH via {value: address(this).balance},
-    // but the _value parameter is still the original intended value)
+    // (the timelock receives ETH via {value: msg.value},
+    // and the _value parameter is the original intended value)
     MockCompoundTimelock.TimelockTransactionCall memory timelockTxnCall = timelock.lastParam__executeTransaction__();
     assertEq(timelockTxnCall.value, _value);
   }