Root + Impact

Unrestricted renounceRole Allows Signers to Corrupt Signer Accounting and Permanently Break Quorum

Description

• The protocol relies on OpenZeppelin AccessControl to manage signing permissions and maintains its own internal signer accounting (s_signerCount and signer array) to enforce quorum and execution rules.

• Signer removal is expected to occur exclusively through the revokeSigningRole function, which enforces invariants such as preventing the removal of the last signer and maintaining internal counters.

• The issue is that signers can independently call renounceRole(SIGNING_ROLE, msg.sender), bypassing revokeSigningRole.

• This causes the AccessControl role state to change without updating internal signer tracking, leading to inconsistent signer counts, broken quorum logic, and potential permanent denial of service.

Risk

Likelihood:

• Signers may voluntarily exit governance or rotate keys during normal protocol operation.

• Multisig participants can renounce roles without coordination or owner approval.

Impact:

• Internal signer count diverges from actual signer set, corrupting quorum enforcement.

• Transactions become permanently unexecutable due to unreachable confirmation thresholds.

Proof of Concept

This PoC demonstrates that a signer can renounce their signing role without updating internal signer tracking:

1. A multisig is initialized with multiple signers.

2. One signer calls renounceRole to remove themselves.

3. The contract still believes the signer exists due to unchanged internal counters.

4. New transactions fail to reach quorum despite all active signers confirming.

This results in a permanent governance deadlock without owner intervention.

PoC Code

Recommended Mitigation

Signer removal must be fully controlled and state-synchronized.

Disable Self-Removal for Signers

Function: renounceRole(bytes32,address)

This ensures all signer removals go through invariant-preserving logic and prevents silent quorum corruption.