isValidSignature returns success for non registered contracts

[howydev]

If any smart contract has not installed the Multisig plugin, it would have a signature threshold of 0, and passing an empty signature into the isValidSignature function would cause it to return success

Considering applications that support ERC1271 - anyone is able to transfer USDC tokens out of the multisig plugin with an empty signature with USDC v2.2, as it supports ERC2612 permit with ERC1271. Note that this is limited to tokens that support 2612 with 1271, and permit2 does not work since it requires an underlying token approval from the multisig plugin to the permit2 contract that cannot happen

Since tokens are not transferred to the multisig plugin during normal operation, it functions like a "public sweep". Nonetheless, this is unintended and will be addressed in multisig plugin v2

Credit: @unknownfeature

[TheMarvelFan]

Hi @howydev ,

Is anyone working on this issue?

[howydev]

hey @TheMarvelFan! We'll want to audit the change before deploying it into production. Since this is only a low risk issue, we've opted to push this update till the v2 module instead