MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Centralization / Owner backdoor: Owner can unilaterally reshape signer set and proposals

Author Revealed upon completion

Root + Impact

Description

  • Normal behavior:
    A multisig should not have a single EOA with unilateral control over membership and transaction flow.

    Issue:
    Owner has exclusive control over:

    • granting/revoking signers

    • (often) proposing transactions

    Even if the ghost-vote bug is fixed, owner control still creates a backdoor:

    • compromised owner can replace honest signers with attacker signers

    • then approve and execute malicious transactions

Mixing Ownable (central admin) with AccessControl (roles) but keeping ultimate authority with onlyOwner.
function revokeSigningRole(address _account)
external
nonReentrant
onlyOwner
noneZeroAddress(_account)
{
if (!s_isSigner[_account]) {
revert MultiSigTimelock__AccountIsNotASigner();
}
// ❌ BUG: allows signer count < REQUIRED_CONFIRMATIONS
if (s_signerCount <= 1) {
revert MultiSigTimelock__CannotRevokeLastSigner();
}

Risk

Likelihood:

  • Owner key compromise is common.

  • This is a design-level weakness.

Impact:

  • Full takeover of multisig governance and funds.

Proof of Concept

Owner revokes existing signers.
Owner grants roles to attacker-controlled addresses.
New signer set confirms and executes drain transaction.

Recommended Mitigation

- if (s_signerCount <= 1) {
+ if (s_signerCount <= REQUIRED_CONFIRMATIONS) {
revert MultiSigTimelock__CannotRevokeLastSigner();
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!