MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Bug Owner-Controlled Proposal Flow Breaks Multisig Security Model in MultiSigTimelock.sol

chain_works

Root + Impact

Description

  • Only the owner can propose transactions.

  • Owner also controls signer assignment.

  • This allows a single EOA to:

    1. Propose transaction

    2. Assign friendly signers

    3. Reach quorum

    4. Drain funds

function proposeTransaction(...) external onlyOwner { // @>

Risk

Likelihood:

  • Happens by design

  • Centralized deployments are common

Impact:

  • Multisig security assumption completely violated

  • Single-key compromise = total loss


PoC

owner.grantSigningRole(ownerAlt1);
owner.grantSigningRole(ownerAlt2);
proposeTransaction(owner, balance, "");
confirmTransaction(0);
confirmTransaction(0);
confirmTransaction(0);
executeTransaction(0);

Mitigation

❌ Remove

onlyOwner

✅ Add

onlyRole(SIGNING_ROLE)

For proposeTransaction

Updates

Lead Judging Commences

kelechikizito Lead Judge
11 days ago
kelechikizito Lead Judge 4 days ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!