No selector or target policy allows arbitrary privileged calls
Scope
src/MultiSigTimelock.sol: _executeTransaction
Root + Impact
Description
Normal behavior: Sensitive selectors (upgrade, ownership changes, approvals) should be allowlisted or require elevated delay.
Issue: Any 3-of-5 signers can execute arbitrary calldata against any address with full gas and contract balance, enabling instant infinite token approvals or proxy upgrades without on-chain policy controls.
Risk
Likelihood:
Reason 1 // Calldata is often copy-pasted from scripts without deep review
Reason 2 // Malicious signer collusion is a primary threat model
Impact:
Impact 1 // Full administrative takeover of downstream systems in one execution
Impact 2 // Token allowances or upgrade slots irrevocably compromised
Proof of Concept
Explanation: Propose data calling upgradeTo(attackerImpl) on a proxy or setOwner(attacker) on downstream governance. With three confirmations the call executes; no policy rejects it.
Recommended Mitigation
Explanation: Introduce allowlists/denylists per target and selector with overrideable minimum delays, and have _executeTransaction enforce them before the external call.
Status: Valid (Policy Bypass)
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.