MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

No emergency pause to stop execution during compromise

Author Revealed upon completion

Scope
src/MultiSigTimelock.sol: MultiSigTimelock

Root + Impact

Description

  • Normal behavior: Multisigs managing large treasuries typically expose a pause circuit breaker.

  • Issue: There is no Pausable hook; once a malicious proposal reaches quorum, there is no on-chain way to halt execution even if compromise is detected moments before execution.

// executeTransaction has no whenNotPaused guard

Risk

Likelihood:

  • Reason 1 // Operational incidents and key compromises are inevitable

  • Reason 2 // Response windows are short

Impact:

  • Impact 1 // Funds or governance power lost because executions cannot be frozen

  • Impact 2 // Off-chain coordination is the only fallback, increasing human error

Proof of Concept

Explanation: Detect malicious proposal with 3 confirmations pending. Without pause, any signer can still execute immediately.

// No on-chain mechanism to block execution path

Recommended Mitigation

Explanation: Inherit Pausable and gate propose/confirm/execute with whenNotPaused, and add a fast multisig-controlled pause() path.

+ contract MultiSigTimelock is Pausable, ... {
+ function pause() external onlyRole(SIGNING_ROLE) { _pause(); }
+ function executeTransaction(...) external whenNotPaused { ... }
+ }

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!