`proposeTransaction` uses `onlyOwner` instead of `onlyRole(SIGNING_ROLE)`, preventing signers from proposing
proposeTransaction uses onlyOwner instead of onlyRole(SIGNING_ROLE), preventing signers from proposing
Description
According to the README documentation, any signer should be able to propose transactions: "Propose new transactions (permission is tied to the role, so any signer can propose)".
The proposeTransaction function incorrectly uses the onlyOwner modifier instead of onlyRole(SIGNING_ROLE), restricting proposal rights to only the owner.
Risk
Likelihood: High
This occurs every time a non-owner signer attempts to propose a transaction
Impact: High
-
Only the contract owner can propose transactions, not all signers as documented
-
Severely limits the functionality of the multi-sig wallet
-
Violates the principle that signers should have equal power once the role is granted
Proof of Concept
Explanation: A signer (SIGNER_TWO) who has been granted SIGNING_ROLE attempts to propose a transaction. Despite having the correct role according to documentation, the call reverts because onlyOwner modifier only allows the contract owner to propose.
Expected: Any address with SIGNING_ROLE can propose transactions.
Actual: Only owner can propose; signers get OwnableUnauthorizedAccount error.
Recommended Mitigation
Explanation: Replace onlyOwner with onlyRole(SIGNING_ROLE) to match the documented behavior. This ensures all signers have equal proposal rights as intended by the multi-sig design.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.