Root + Impact

Description

• Deployment Scripts Use Hardcoded Addresses Without Validation

• The GrantSigningRole script contains hardcoded addresses for signers without any validation that these addresses are valid, not contracts, or not zero addresses. If any of these addresses are incorrect or compromised, the multisig could be initialized in an insecure state.

Risk

Likelihood:

• If SIGNER_TWO through SIGNER_FIVE are not controlled by trusted parties or if any address is mistyped, the multisig could be compromised from deployment.

Impact:

• Deployment could fail or result in an incorrectly configured multisig if addresses are invalid. Hardcoded addresses also make the script inflexible for different deployments.

Proof of Concept

Hardcoded Role Assignment

This script is a Foundry deployment or administration script used to automate the process of adding new signers to a MultiSig contract.

• Fixed Identities: It defines four specific wallet addresses as constants (SIGNER_TWO through SIGNER_FIVE).

• Automated Execution: The grantSigningRole function calls the MultiSig contract to officially authorize these addresses.

• The Critical Risk: The comment "No validation of addresses" highlights a Trust Assumption. If these hardcoded addresses contain a typo or belong to an attacker, the script will permanently grant them control over the MultiSig. In a production environment, this could lead to a loss of funds if the addresses aren't verified against an official registry or multi-signature consensus before the script is run.

Recommended Mitigation

Secure and Configurable Role Granting

This version of the script replaces hardcoded constants with a dynamic and validated approach to adding signers.

• Configurability: By passing an array (address[] memory signers), you can use the same script for different environments (testnet vs. mainnet) without changing the code.

• Zero-Address Guard: It ensures no one accidentally grants power to address(0), which would lock the role or cause logic errors.

• EOA Enforcement: The check signers[i].code.length == 0 ensures that the addresses are Externally Owned Accounts (EOAs) and not smart contracts. This is a common security practice to prevent complex contract-based attacks or accidentally adding a non-wallet contract as a signer.

• Batch Limit: It restricts the input to a maximum of 4 signers, preventing accidental mass-assignment or gas-limit issues during the broadcast.