Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SPL Token 2022>Discussion>Multisig account behavior
GeneralOverview
Findings
Critical (2)
High (1)
Low (3)
DiscussionMultisig account behaviorUnclear purposeUnnecessary initialization checkConfusing checkAlternative extension dedupAppendix
Audit ResultsAudit Results

Behavior of multisig accounts with repeated signers

During our audit we observed that it is possible to initialize a multisig account with the same signer repeated multiple times.

The function used for validating the signers of a transaction, validate_owner, counts a signer of a transaction as having signed it the exact number of times the account is repeated, regardless of how many times the account appears in the list of signers. Despite this being reasonable behavior, it is unclear if this specific edge case was considered.

The Solana Foundation engineering team acknowledged this discussion point.

Zellic © 2024Back to top ↑