Redundant signer count check may indicate incorrect assumptions about contract state
Redundant signer count check may indicate incorrect assumptions about contract state
Description
The revokeSigningRole function includes the following check:
This condition allows execution only when the signer count is greater than one. However, in a correctly initialized multisig wallet, the number of signers should never be less than one.
As written, the condition suggests that a state with s_signerCount == 0 is considered possible, even though such a state should be unreachable by design.
Impact
This issue does not introduce a direct security vulnerability. However, it reflects an imprecise assumption about valid contract states, which can reduce code clarity and increase the likelihood of logical errors in future modifications.
In complex access-control systems like multisig wallets, unclear invariants may lead to misinterpretation during maintenance or extension of the contract.
Risk
Impact: low
Reason: There can hardly be less than one signerleft in the protocol
Likelihood: low
Reason: The issue does not directly affect runtime behavior under normal conditions and does not enable an attack by itself. It is primarily a correctness and maintainability concern.
Recommended Mitigation
Tighten the condition to reflect the actual invariant of the system. For example, explicitly enforce that the signer count must always be greater than one by design, and adjust checks and documentation accordingly to improve clarity and correctness.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.