MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

Only Owner can propose a transaction, making it impossible for other signers to propose

engama

Root + Impact

Description

The contract intends for all signers to propose a transaction but the proposeTransaction function has the onlyOwner modifier which makes other signers ineligible to propose a transaction and this doesn't correlate with the contract's intended workflow that is stated in the README. Signers (holders of SIGNING_ROLE) - Propose new transactions (permission is tied to the role, so any signer can propose)

proposeTransaction(
address to,
uint256 value,
bytes calldata data
) external nonReentrant
noneZeroAddress(to)
onlyOwner <<@
returns (uint256) {
return _proposeTransaction(to, value, data);

Risk

Likelihood:

  • When other signers try to propose a transaction, they can't.

Impact:

  • Only the owner can propose transactions which is against the core functionality of the protocol

Proof of Concept

function testOtherSignersCannotProposeTransaction() public {
vm.expectRevert();
vm.prank(SIGNER_TWO);
uint256 txId = multiSigTimelock.proposeTransaction(
recipient,
1 ether,
""
);
}

This test shows and proofs that other signers cannot propose transactions

Recommended Mitigation

- onlyOwner
+ onlyRole(SIGNING_ROLE)
Updates

Lead Judging Commences

kelechikizito Lead Judge
11 days ago
kelechikizito Lead Judge 4 days ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!