MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Fixed quorum cannot adapt to signer churn, risking permanent asset lock

Author Revealed upon completion

Scope
src/MultiSigTimelock.sol: REQUIRED_CONFIRMATIONS, grantSigningRole, revokeSigningRole

Root + Impact

Description

  • Normal behavior: Quorum should adjust when the signer set shrinks or during incident recovery.

  • Issue: REQUIRED_CONFIRMATIONS is hardcoded to 3 while the system allows as few as 3 signers. Losing one key or multisig member freezes funds; there is no governed way to lower quorum temporarily to unstick the wallet.

uint256 private constant REQUIRED_CONFIRMATIONS = 3; // cannot change at runtime

Risk

Likelihood:

  • Reason 1 // Key loss and hardware failures are common

  • Reason 2 // Small signer sets (exactly 3) are supported

Impact:

  • Impact 1 // Permanent inability to execute any transaction

  • Impact 2 // Emergency response (e.g., drain to safe address) impossible after a single key loss

Proof of Concept

Explanation: Deploy with three signers. One loses the key. Even though the owner can add a new signer, the lost key’s address still counts toward quorum; until added signer confirms, the system is frozen, and if owner key is the lost one, rotation is impossible.

// REQUIRE_CONFIRMATIONS stuck at 3; key loss bricks wallet

Recommended Mitigation

Explanation: Make quorum configurable via multisig-governed parameter updates with safeguards (e.g., lower-bound at majority) and add a recovery path if the owner key is lost.

+ uint256 public requiredConfirmations;
+ function setRequiredConfirmations(uint256 newQ) external onlyRole(SIGNING_ROLE) { require(newQ >= 2 && newQ <= s_signerCount, "bad quorum"); requiredConfirmations = newQ; }

Status: Valid (Availability Risk)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!