The MultiSigTimelock contract is designed as a multi-signature wallet where up to 5 signers (holders of the SIGNING_ROLE) collaborate to manage funds securely. According to the project specification, any signer should be able to propose new transactions, as proposal permission is explicitly tied to the SIGNING_ROLE rather than sole ownership. This enables decentralized governance, allowing team members or co-owners to initiate transfers without relying on a single privileged account.

However, the proposeTransaction function is incorrectly restricted with the onlyOwner modifier inherited from Ownable. This means only the original deployer (contract owner) can call it to propose transactions, while other added signers cannot initiate proposals despite holding the SIGNING_ROLE.

Risk

Likelihood: High

• The owner is always a signer (granted SIGNING_ROLE in constructor), and additional signers are added via grantSigningRole (onlyOwner).

• In any realistic deployment with multiple signers (2–5 total), non-owner signers will attempt to propose transactions as per the documented behavior.

• Impact: High

  • Severely limits wallet usability: Added signers can only confirm, revoke, or execute existing proposals but cannot initiate any new transfers or contract interactions.

  • Defeats the multi-signature governance model, centralizing proposal power with the owner and contradicting the spec's description of equal powers among signers (except role management).

  • In team or DAO treasuries, this creates a single point of failure/bottleneck for fund movement, potentially leading to operational deadlock if the owner is unavailable or compromised.

Proof of Concept

Recommended Mitigation