Root + Impact

Description

• The intended behavior of the contract is to protect funds using a multisignature scheme, where multiple independent signers must approve transactions, thereby mitigating the risk of a single compromised key (including the owner) leading to fund loss.

• The specific issue is that the owner retains unilateral and immediate control over signer management. If the owner private key is compromised, the attacker can revoke honest signers and add malicious signers, preserving quorum and fully bypassing the multisig’s protective guarantees, ultimately allowing fund theft.

Risk

Likelihood:

• Owner private key compromise occurs through phishing, key reuse, malware, or insecure key storage.

• Governance actions (signer rotation or maintenance) are routinely performed using the owner key, increasing its exposure.

Impact:

• Complete loss of all funds held by the multisig despite the presence of multiple signers.

• False sense of security for users who assume multisig protection extends to owner compromise scenarios.

Proof of Concept

Explanation

This proof demonstrates that once the owner key is compromised, the attacker can fully control the signer set. By removing honest signers and adding malicious ones, the attacker restores quorum and executes a malicious transaction that drains funds. All protocol checks pass, and the multisig provides no resistance.

Recommended Mitigation

Signer management must itself be protected by the multisig, ensuring that owner compromise alone cannot alter the signer set.

Function modified: grantSigningRole and revokeSigningRole

• Remove unilateral owner authority

• Require multisig-approved transactions to add or remove signers, using the same principle that to valide a transaction (not shown here)

Alternatively, signer changes should be executed exclusively via executeTransaction with a timelock and quorum, or the owner role itself should be transferred to a multisig contract.