Root + Impact

The contract treats Membership changes as simple administrative tasks rather than Governance actions. While a transfer of 100 ETH is forced to wait 7 days for security, a “transfer of power” (adding a malicious signer to reach quorum) happens instantly

Description

The contract implements a robust Multi-Signature and Timelock mechanism for ETH transactions, but leaves Signer Management entirely centralized and unprotected.

The functions grantSigningRole and revokeSigningRole are governed by the onlyOwner modifier and execute immediately without:

* Multisig Consensus: The owner can add or remove signers without the approval of the existing signing quorum.

* Timelock Delay: There is no “cooldown” period for membership changes.

Risk

Likelihood:

• Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

• Reason 2

Impact:

If the Owner is compromised, an attacker can:

* Immediately grant the SIGNING_ROLE to multiple attacker-controlled addresses.

* Immediately revoke legitimate signers.

* Because the roles are updated instantly, the attacker now controls the multisig quorum and can immediately start proposing and confirming the drainage of funds. The legitimate signers have no “reaction window” to stop the attack.

Proof of Concept

An attacker gains access to the OWNER account and takes over the wallet in a single block.

1. Attacker gains Owner’s key and calls grantSigningRole to his other occounts

2. Attacker revokes the legitimate signing role to existing accounts

3. The attacker now holds 3 of the 4 active roles, can propose transaction and execute the transaction

Recommended Mitigation

Create a new transaction type in the Transaction struct for MEMBER_ADD or MEMBER_REMOVE.

Force all membership changes to pass through the propose -> confirm -> timelock -> execute workflow. This ensures that if the Owner account is compromised, the existing signers have a 48-hour to 7-day window to notice the malicious proposal and take defensive action.