MultiSigWalletFactory Manual Review Findings

MSF-01M: Replace-Able Implementation

Description:

The usage of create2 enables a malicious user to deploy a seemingly correct wallet that they can then sacrifice ownership of and replace with a new contract for which they have complete control.

Example:

Copy
47function deployUsingCreate2(address[] memory signers, uint256 salt)
48    external
49    returns (address)
50{
51    // deploy contract
52    address multiSigWalletAddress = _deployCreate2(
53        getSalt(salt, msg.sender),
54        type(MultiSigWallet).creationCode
55    );
56    emit MultiSigWalletDeployed(multiSigWalletAddress, msg.sender);
57    // initialize contract
58    MultiSigWallet msw = MultiSigWallet(multiSigWalletAddress);
59    msw.initialize(signers);
60    return multiSigWalletAddress;
61}

Recommendation:

The reason this is possible is that there is no mechanism to prevent the usage of the same salt, meaning a user can replace already deployed wallets with new ones for which they have complete control and can re-initialize with their own signers array. We advise a mapping to be introduced that ensures a particular salt has not been utilized for the deployment of a wallet, guaranteeing that it is not possible to replace implementations maliciously.

Alleviation:

The particular function is no longer within the contract thus rendering this exhibit null.