MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Permanent DoS by reducing signerCount below quorum

Author Revealed upon completion

Root + Impact

Description

  • Normal behavior: 3-of-N confirmations required to execute.

  • Issue: Owner can reduce s_signerCount to 2 (or 1), making REQUIRED_CONFIRMATIONS == 3 impossible, permanently bricking executions.

function revokeSigningRole(address _account) external onlyOwner {
// @> prevents revoking the last signer only
if (s_signerCount <= 1) {
revert MultiSigTimelock__CannotRevokeLastSigner();
}
// @> allows s_signerCount to drop below REQUIRED_CONFIRMATIONS
}

Risk

Likelihood:

  • Reason 1 // Common admin operation: pruning signers for rotation/security

  • Reason 2 // Honest mistake can drop to 2 signers

Impact:

  • Impact 1 // Funds stuck; no execution possible

  • Impact 2 // Operational outage and governance paralysis

Proof of Concept

Explanation: The test testH3_AggregateOutflowIncreasesDelay (indirectly related to quorum) and logic analysis show that if s_signerCount drops to 2, REQUIRED_CONFIRMATIONS (3) can never be met.

// 5 signers -> revoke down to 2
vm.prank(OWNER);
multiSigTimelock.revokeSigningRole(SIGNER_THREE);
vm.prank(OWNER);
multiSigTimelock.revokeSigningRole(SIGNER_FOUR);
// Attempt execution: impossible to reach 3 confirmations

Recommended Mitigation

Explanation: Add a check in revokeSigningRole to ensure s_signerCount does not drop below REQUIRED_CONFIRMATIONS.

- if (s_signerCount <= 1) { revert ... }
+ // Prevent reducing below quorum
+ if (s_signerCount - 1 < REQUIRED_CONFIRMATIONS) {
+ revert MultiSigTimelock__CannotReduceBelowQuorum(REQUIRED_CONFIRMATIONS);
+ }

Status: Valid (Mitigated in src/MultiSigTimelock.sol)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!