The ManagedWallet.sol contract allows wallet address changes through a proposed mechanism, confirmation, and a 30-day timelock. However, a flaw enables bypassing this timelock by having the confirmation wallet send 0.05 ether to trigger the timelock prematurely, without an active proposal. Once 30 days elapse, the main wallet can propose and immediately execute new wallet addresses changes through changeWallets(), circumventing the intended 30-day review period.
Lines of code
Vulnerability details
C4 Issue
https://github.com/code-423n4/2024-01-salty-findings/issues/49
Comments
The ManagedWallet.sol contract allows wallet address changes through a proposed mechanism, confirmation, and a 30-day timelock. However, a flaw enables bypassing this timelock by having the confirmation wallet send 0.05 ether to trigger the timelock prematurely, without an active proposal. Once 30 days elapse, the main wallet can propose and immediately execute new wallet addresses changes through changeWallets(), circumventing the intended 30-day review period.
Mitigation
https://github.com/othernet-global/salty-io/commit/5766592880737a5e682bb694a3a79e12926d48a5
The managed wallet contract has been deprecated fully, so the issue has been mitigated.
Conclusion
LGTM