Funds Locked Due to Lack of Time-Based Withdrawals in `MultiSigWallet`
Summary
The MultiSigWallet contract does not include a fallback mechanism for withdrawing funds in cases where one owner refuses to approve transactions. As a result, funds may become indefinitely locked if one party is uncooperative.
Vulnerability Details
Root Cause:
The contract requires both owner1 and owner2 to approve a transaction before execution (executeTransaction). If one owner refuses to approve a transaction, there is no alternative method to withdraw the funds.
Example Attack Scenario:
owner1submits a transaction to withdraw funds.owner2refuses to approve the transaction.Since the contract does not allow withdrawals without dual approval, the funds remain locked indefinitely.
Impact
Loss of Funds: If one owner is uncooperative or becomes inactive, the funds may be permanently inaccessible.
Recommendation
Implement a time-based fallback mechanism allowing funds to be withdrawn if a transaction remains unapproved for a specified duration. Example solutions:
Timeout-Based Auto-Execution: If a transaction is not approved within
Xdays, the submitting owner can execute it unilaterally.Owner Timeout Override: If one owner is inactive for
Ydays, the other owner can withdraw their portion of the contract balance.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.