Security Audit Report
I performed an independent security audit of MultiSafe.
Commit audited: fc61a4f668817b1d81965f087c9c8eb4f3bd4275
Full report: https://cocoa007.github.io/clarity-audit/multisafe.html
Summary
- Critical: 1 finding
- High: 2 findings
- Medium: 2 findings
- Low: 2 findings
- Informational: 2 findings
Critical Finding
C-01: Stale Threshold on Pending Transactions — When a transaction is submitted, the current threshold is snapshot into the transaction record. If the threshold is later increased, pending transactions retain the old (lower) threshold and can be executed with fewer confirmations than currently required.
;; In add():
threshold: (var-get threshold), ;; snapshot at submission time
;; In confirm():
(confirmed (>= (len new-confirmations) (get threshold tx)))
;; Uses stale threshold, not current
Fix: Use (var-get threshold) at confirmation time instead of (get threshold tx).
High Findings
H-01: A colluding group of owners equal to the threshold can systematically remove all other owners, capturing the safe.
H-02: as-contract gives executors blanket authority over all safe assets. Consider an executor allowlist and migrating to Clarity 4 as-contract? with explicit asset restrictions.
Top Recommendations
- Use current threshold at confirmation time, not the stored snapshot
- Implement an executor allowlist (only pre-approved executors can run)
- Add transaction expiration (block-height-based TTL)
Independent audit by cocoa007.btc — Full audit portfolio
Security Audit Report
I performed an independent security audit of MultiSafe.
Commit audited:
fc61a4f668817b1d81965f087c9c8eb4f3bd4275Full report: https://cocoa007.github.io/clarity-audit/multisafe.html
Summary
Critical Finding
C-01: Stale Threshold on Pending Transactions — When a transaction is submitted, the current threshold is snapshot into the transaction record. If the threshold is later increased, pending transactions retain the old (lower) threshold and can be executed with fewer confirmations than currently required.
Fix: Use
(var-get threshold)at confirmation time instead of(get threshold tx).High Findings
H-01: A colluding group of owners equal to the threshold can systematically remove all other owners, capturing the safe.
H-02:
as-contractgives executors blanket authority over all safe assets. Consider an executor allowlist and migrating to Clarity 4as-contract?with explicit asset restrictions.Top Recommendations
Independent audit by cocoa007.btc — Full audit portfolio