From 10c09c6f38b343a942878d322381769190bd31f4 Mon Sep 17 00:00:00 2001
From: Julianemeka <julianemeka07@gmail.com>
Date: Thu, 4 Jun 2026 02:36:09 +0000
Subject: [PATCH] docs: mark SC-031 as COMPLETED and update changelog

---
 CHANGELOG.md | 1 +
 ISSUES.md    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 158407a..b1d0127 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+- Fix duplicate signer vulnerability in `initiate_multisig_payment` by returning `InvalidInput` (SC-031).
 - Remove unused `StorageError` variant from the payment contract ABI.
 - Harden payment and refund flows against external token transfer re-entrancy by committing state before external calls.
 - Add best-effort zero/burn admin address validation and test coverage for invalid admin assignment.
diff --git a/ISSUES.md b/ISSUES.md
index 41650e4..46d96f3 100644
--- a/ISSUES.md
+++ b/ISSUES.md
@@ -1630,7 +1630,7 @@
 
 ---
 
-### SC-031 · No check for duplicate signers in `required_signers` list
+### SC-031 · No check for duplicate signers in `required_signers` list [COMPLETED]
 
 **Description:** `initiate_multisig_payment` does not deduplicate `required_signers`. The same address appearing twice lets one signer satisfy two slots and execute a payment alone.