Root + Impact

When a signer's role is revoked, their previous confirmations on pending transactions remain valid, allowing revoked signers to effectively retain voting power on transactions they confirmed before removal.

Description

• The contract is designed to allow the owner to revoke signing privileges from accounts that are no longer trusted or have been compromised, removing their ability to participate in the multi-signature approval process.

• When `revokeSigningRole()` is called, it removes the account from the signers array and revokes their `SIGNING_ROLE`, but it does not invalidate any confirmations that account has already made on pending transactions. This means a revoked signer's previous votes continue to count toward the required confirmation threshold, effectively allowing them to influence transaction execution even after being removed.

Risk

Likelihood:

High.

• A signer becomes compromised or untrusted and the owner needs to revoke their access immediately

• The compromised signer has already confirmed one or more pending transactions before being detected

• The owner revokes the signer believing this will invalidate all their participation in pending transactions

Impact:

• Transactions can reach the required confirmation threshold and be executed with votes from accounts that no longer have signing privileges

• The security guarantee of requiring 3 active, trusted signers is violated, as revoked signers effectively maintain voting power

• An owner who removes a malicious signer may believe pending transactions are now safe, when in reality the malicious signer's previous confirmations still count toward execution

• Defeats the entire purpose of the revocation mechanism for pending transactions

Recommended Mitigation

Refactor the code to make sure to check that the account about to be revoked has no pending tx. If it has, their confirmation needs to be removed.