MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Owner-only proposal deviates from documented threat model

Author Revealed upon completion

Scope
src/MultiSigTimelock.sol: proposeTransaction

Root + Impact

Description

  • Normal behavior (docs): Any signer can propose transactions.

  • Issue: Only owner can propose; if owner compromised or malicious, others cannot propose safe counter-actions; reduces resilience.

function proposeTransaction(...) external nonReentrant noneZeroAddress(to) onlyOwner returns (uint256) {
// @> onlyOwner blocks other signers from proposing
}

Risk

Likelihood:

  • Reason 1 // Owner compromise scenarios are common

  • Reason 2 // Operational workflows need signer autonomy

Impact:

  • Impact 1 // Single point of failure for proposals

  • Impact 2 // Slower recovery paths; governance degradation

Proof of Concept

Explanation: A non-owner signer calls proposeTransaction and it reverts.

vm.prank(SIGNER_TWO);
vm.expectRevert();
multiSigTimelock.proposeTransaction(...);

Recommended Mitigation

Explanation: Change onlyOwner modifier to onlyRole(SIGNING_ROLE).

- onlyOwner
+ onlyRole(SIGNING_ROLE)

Status: Valid (Design Flaw)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!