Lines of code
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/auth/MultisigBase.sol#L44-L77&gt;
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/auth/MultisigBase.sol#L159-L161&gt;
<https://github.com/code-423n4/2023-07-axelar/blob/2f9b234bb8222d5fbe934beafede56bfb4522641/contracts/cgp/util/Caller.sol#L18&gt;

Vulnerability details

Impact

Multisig’s functionality is impaired when Signers#threshold is 1.
Imagine the Signers#threshold is 1, so an individual signer is possible claim all the funds from Multisig without the need for other signers to vote.
It is logical that at least 2 people should vote, but this is forgotten in MultisigBase contract.
I’m gonna explain it in the following scenario:

1. Imagine Signers#threshold is 1 and Multisig has 1 ether balance

2. A signer calls the below function (for the first argument he enters his own contract address which supports receiving ether, for second arg he enters a payable function selector which exists in his contract or leaves it empty because his contract has a payable fallback function, and for third arg he enters the Multisig contract balance or an amount of ether):

   function execute(
   address target,
   bytes calldata callData,
   uint256 nativeValue
   ) external payable onlySigners {
   _call(target, callData, nativeValue);
   }

3. Contract enters to OnlySigners and all the checks will be passed (Remember that the threshold is set to 1)

4. Contract enters to _call function which checks there is enough balance and then it transfers the funds.

Tools Used

Manual Review

Recommended Mitigation Steps

Edit the following line in MultisigBase#_rotateSigners:

if (newThreshold < 2) revert InvalidSignerThreshold();

Assessed type

Invalid Validation

The text was updated successfully, but these errors were encountered:

All reactions