No emergency cancel mechanism for proposed high-risk transactions
Scope
src/MultiSigTimelock.sol: MultiSigTimelock
Root + Impact
Description
Normal behavior: Once proposed, transactions cannot be canceled; only revocations of confirmations are possible.
Issue: In a compromise scenario, inability to cancel proposed transactions forces reliance on signer coordination; high-risk window remains open.
Risk
Likelihood:
Reason 1 // Compromised owner can propose dangerous calls
Reason 2 // Slow coordination among signers
Impact:
Impact 1 // Increased chance malicious execution succeeds
Impact 2 // Operational risk and alert fatigue
Proof of Concept
Explanation: A malicious proposal sits in the queue. Even if signers don't confirm, it remains "open" forever (see H6). There is no way to explicitly "kill" it.
Recommended Mitigation
Explanation: Add a cancelTransaction function callable by the proposer or owner.
Status: Valid (Design Flaw)
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.