Multisignature Wallet Security Audit

Audit Report Revisions

Audit Overview

We were tasked with performing an audit of the Tozex codebase and in particular their custom multi-signature wallet implementation.

Over the course of the audit, we identified multiple vulnerabilities that can significantly undermine the security of the multisignature wallet, including ways to reduce its effective threshold from m to m - 1.

We advise the Tozex team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Tozex team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.

We evaluated all alleviations performed by Tozex and have identified that certain exhibits have not been adequately dealt with. We advise the Tozex team to revisit the following exhibits: MSW-02M, MSW-04M

Namely, exhibit MSW-02M indicates a significant undermining of the multi-signature wallet's security as it will downgrade any n-out-of-m scheme to 2-out-of-m effectively bypassing the purpose of the wallet's confirmation procedures.

As a final note, we would advise the Tozex team to revisit the MSW-01C exhibit as it was partially alleviated and exhibits MSW-03C and MSW-06M which, while alleviated, have had additional information introduced that the Tozex team may find useful.

Post-Audit Conclusion (8f83a1307b)

All previously open exhibits apart for MSW-06M have been fully alleviated by the Tozex team. While remediation actions were carried out for the re-evaluated MSW-06M exhibit in the form of a multi-signatory confirmation scheme, the implementation of it is presently insecure.

We advise the Tozex team to re-visit MSW-06M and apply the recommendations we provided in its latest alleviation chapter.

Post-Audit Conclusion (b2b3cc0949)

The code was updated to properly clear out signer change confirmations whenever a previous request is overwritten, however, it currently will not clear out all votes of the _newSigner when the last confirmation is processed.

We advise the code's statements to be re-ordered per the latest alleviation chapter of exhibit MSW-06M.

As a final note, we would like to state that a MultiSigWallet::signerExists modifier was introduced to the MultiSigWallet::submitTransaction function which is redundant as the same modifier is applied within the nested MultiSigWallet::confirmTransaction call.

As such, we also advise the modifier application to be omitted reducing the gas cost of submitting an initial transaction.

Post-Audit Conclusion (3408220c9f)

The Tozex team proceeded with alleviating the MSW-06M exhibit in full by re-ordering the statements as advised. The optimization recommendation we laid out in the previous conclusion, however, has not been applied.

Given that all security-related exhibits within the report have been alleviated by the Tozex team, we consider this audit round to have concluded.

Contracts Assessed

Audit Synopsis

Severity	Identified	Alleviated	Partially Alleviated	Acknowledged
	1	1	0	0
	10	10	0	0
	0	0	0	0
	2	2	0	0
	3	3	0	0

During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 15 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style