MultiSig Timelock

First Flight #55

Beginner FriendlyWallet

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Call data allows any data to be passed

Author Revealed upon completion

Call data allows any data to be passed

Description

The contract's transaction proposal mechanism accepts arbitrary call data, enabling invocation of any function on the target contract. This unrestricted input can lead to execution of unauthorized or harmful operations if the proposer is malicious or compromised.

Risk

Likelihood: High
An attacker or malicious proposer can submit transactions invoking any function on the destination address.

Impact: High
This may result in unauthorized state changes, asset transfers, or other malicious effects depending on the called function’s logic.

Proof of Concept

function test_proposeTransaction_allowsAnyCalldata() public {

address recipient = address(1);

uint256 value = 0 ether;

bytes memory data = abi.encodePacked(bytes4(keccak256("drain()")));

vm.prank(OWNER);

vm.expectEmit(true, true, true, false);

emit MultiSigTimelock.TransactionProposed(0, recipient, value);

uint256 transactionId = wallet.proposeTransaction(recipient, value, data);

assertEq(wallet.getTransactionCount(), 1);

MultiSigTimelock.Transaction memory transaction = wallet.getTransaction(transactionId);

assertEq(transaction.to, recipient, "Invalid recipient");

assertEq(transaction.value, value, "Invalid value");

assertEq(transaction.data, data, "Invalid data");

assertEq(transaction.confirmations, 0, "Invalid confirmations");

assertEq(transaction.proposedAt, block.timestamp, "Invalid proposedAt");

assertEq(transaction.executed, false, "Invalid executed");

}

Mitigation

Implement strict validation on the calldata input by maintaining an allowlist of permitted functions or actions callable via the transaction proposal. This can be achieved by:

Restricting data to encoded calls matching predefined function selectors.
Validating the target address and calldata before acceptance.
Enforcing access control on proposers able to submit arbitrary call data.

Rewards breakdown

nSLOC

205

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!