QA-01 MitigationConfirmed

[c4-bot-5]

Lines of code

Vulnerability details

Comments

The protocol wallet owners have cross chain methods to manage owners.

Vulnerability details

The root cause is in the one of the owner managing methods that can remove all wallet owners leaving wallet funds locked inside and also locking any other interaction with the wallet.

The method in question is : removeOwnerAtIndex that can remove all assigned wallet owners.

Mitigation

The issue is successfully remediated by applying the PR

The patch adds this check that prevents the removeOwnerAtIndex to remove all owners.

The variable nextOwnerIndex and removedOwnersCount used in the previous check are correctly accounted for.

Suggestions

Consider adding this newly added method named removeLastOwner to the list of cross chain callable methods for managing wallet owners.

Notes

The same PR also:

• adds a method that will explicitly "renounce" all wallet ownership where there is only one owner left.
• restricts adding of new owner address (trough addOwnerAddress) to be only called externally.

Conclusions

Successful Mitigation

[c4-judge]

3docSec marked the issue as satisfactory

[stevieraykatz]

This is a good suggestion! We will likely implement it.

[c4-judge]

3docSec marked the issue as confirmed for report