Submission Details
Impact:
Likelihood:
Bug Owner-Controlled Proposal Flow Breaks Multisig Security Model in MultiSigTimelock.sol
Author Revealed upon completion
Root + Impact
Description
Only the owner can propose transactions.
Owner also controls signer assignment.
This allows a single EOA to:
Propose transaction
Assign friendly signers
Reach quorum
Drain funds
function proposeTransaction(...) external onlyOwner { // @>
Risk
Likelihood:
Happens by design
Centralized deployments are common
Impact:
Multisig security assumption completely violated
Single-key compromise = total loss
PoC
owner.grantSigningRole(ownerAlt1);
owner.grantSigningRole(ownerAlt2);
proposeTransaction(owner, balance, "");
confirmTransaction(0);
confirmTransaction(0);
confirmTransaction(0);
executeTransaction(0);
Mitigation
❌ Remove
onlyOwner
✅ Add
onlyRole(SIGNING_ROLE)
For proposeTransaction
Rewards breakdown
nSLOC
205This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.