MultiSig Timelock
First Flight #55
Beginner FriendlyWallet
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium

## [M-1] Only owner can propose the transaction but other signers can't

Author Revealed upon completion

Root + Impact

The function `MultiSigTimelock::proposeTransaction` is onlyOwner,Signers other than the owners cannot initiate transactions

Description

The contract's README says that ordinary signers also have the right to propose transactions.
The function `MultiSigTimelock::proposeTransaction` is onlyOwner, only allows owners to propose transactions.
function proposeTransaction(address to, uint256 value, bytes calldata data)
external
nonReentrant
noneZeroAddress(to)
onlyOwner // @> root cause: onlyOwner prevents ordinary signers from proposing
returns (uint256)

Risk

Likelihood:

  • Reason 1 // Every time a signer other than the contract owner tries to propose a transaction, it fails.

Impact:

  • Impact 1 The other signers cant propose a transaction,does not match the readme

Proof of Concept

This tests the transaction-submission behavior proposed by the other signers, and the results show that none of them passed.

function testProposeTransactionRevertsIsOtherSigners() public grantSigningRoles{
for (uint256 i=1;i<5;i++){
address othersigners = multiSigTimelock.getSigners()[i];
vm.prank(othersigners);
vm.expectRevert();
multiSigTimelock.proposeTransaction(SPENDER_ONE, OWNER_BALANCE_ONE, hex"");
}
}

Recommended Mitigation

You only need to replace onlyOwner with onlyRole and allow other signers to also submit transaction actions.Now matches what is described in the readme.

  • Propose new transactions (permission is tied to the role, so any signer can propose)

- onlyOwner
+ onlyRole(SIGNING_ROLE)

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!