MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Centralization Risk: Owner can revoke all signers

Author Revealed upon completion

Root + Impact

Description

  • Normal behavior: Owner manages signers.

  • Issue: The owner (who is also a signer) can unilaterally revoke all other signers (down to quorum limit) and then grant roles to their own controlled addresses, effectively taking over the multisig.

function revokeSigningRole(address _account) external onlyOwner { ... }
function grantSigningRole(address _account) external onlyOwner { ... }

Risk

Likelihood:

  • Reason 1 // Owner key compromise

  • Reason 2 // Malicious insider

Impact:

  • Impact 1 // Complete takeover of the wallet

  • Impact 2 // Bypass of multisig security assumptions

Proof of Concept

Explanation: The owner calls revokeSigningRole for all other signers, then calls grantSigningRole for new addresses they control.

vm.prank(OWNER);
multiSigTimelock.revokeSigningRole(SIGNER_TWO);
// ... repeat for others
vm.prank(OWNER);
multiSigTimelock.grantSigningRole(ATTACKER_CONTROLLED_ADDR);

Recommended Mitigation

Explanation: Make grantSigningRole and revokeSigningRole executable only by the multisig itself (via executeTransaction), or require a timelock for role changes.

- function revokeSigningRole(...) external onlyOwner
+ function revokeSigningRole(...) external onlySelf

Status: Valid (Design Flaw)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!