Incorrect Constructor Arguments in MultiSig Wallet Deployment
Summary
The contract deploy a MultiSigWallet instance using only two addresses:
However, a standard MultiSig wallet requires:
An array of owners (
address[] memory owners) – This ensures multiple authorized signers can approve transactions.A required confirmation threshold (
uint256 requiredConfirmations) – This defines how many owners must approve a transaction before execution.
Impact
The MultiSig wallet does not enforce multiple approvals, compromising security.
Transactions may lack proper authorization, leading to unauthorized fund transfers.
The contract may fail to deploy correctly, causing runtime errors or loss of funds.
Tools Used
manual review
Recommendations
MultiSigWallet multiSigWallet = new MultiSigWallet(owners, requiredConfirmations);
owners is an address[] containing multiple authorized signers.
requiredConfirmationsis the number of approvals needed before a transaction is executed.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.