Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Tradoor>Medium findings>Time-out is bundled with the multisig request
GeneralOverview
Findings
High (1)
Medium (1)Time-out is bundled with the multisig request
Low (1)
Informational (4)
DiscussionTest suiteUnused isPending flag on perpetual ordersLimited contract storage enables denial-of-service attacks
Threat ModelWhat are threat models?1-usdt_pool.tact2-ton_pool.tact
Audit ResultsAssessment Results
Category: Protocol Risks

Time-out is bundled with the multisig request

Medium Impact
High Severity
Low Likelihood

Description

The time-out is bundled with the multisig request contracts (MultisigSigner) through the request cell that is passed in the constructor.

We have some concerns about the effectiveness of this design. For more details, please see section .

Impact

It could be problematic if, for example, a malicious member submits proposals with effectively infinite time-outs.

Then, the malicious member has time to compromise the other members. And when the owner changes the members in the Multisig contract, it will have no effect on the maliciously created MultisigSigner contracts.

Recommendations

We recommend not bundling the request time-out with the request.

Remediation

This finding was addressed in the TON multisig contract in commit 68b5af, and in the USDT multisig in commit 0d6693. The timeout after which a proposal expires is now a fixed value, enforced by the main Multisig contract.

Zellic © 2025Back to top ↑