Alchemy - Multisig Plugin
Summary
This audit has covered an owner plugin for an ERC-6900 Modular Account, that allows multiple owners to execute a `UserOp` only if a certain number of owners have signed this specific `UserOp` off-chain. The plugin implements k out of n signature threshold, which requires at least k valid owner signatures from a pool of n owners. This plugin is an owner plugin that would protect certain key modular account functionality and session key functionality. Overall the code is well written and follows very good software development practices. Throughout the audit, some issues have been identified, ranging from Low to Informational in severity. The key issues revolve around compatibility with ERC-4337, such as ALC-MP-1 and ALC-MP-8, and compatibility with ERC-6900, such as issue ALC-MP-2. It is recommended that all issues be addressed. The project has a good test suite of 40 tests and a branch coverage of 90%. The test suite consists of unit tests and fuzz tests. We recommend adding integration testing with a bundler, as such testing would help to detect issues like ALC-MP-1. The audit report also includes an issue reported by the Alchemy team during the audit (ALC-MP-9). **Update Fix-Review** All issues have either been fixed or acknowledged. The test suite has been adequately updated to accommodate the changes.
Issues (9)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 3 | - | - | - | 3 |
Fixed | 6 | - | - | - | 6 |
| Total | 9 | 0 | 0 | 0 | 9 |