DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

User can steal all the funds from `MultiSigWallet` By submitting malicious transaction.

gaurangbrdv

Description

If Matches occures in `LikeRegistry` contract then it will create a `MultiSigWallet` for both, and transfer the funds to that wallet. Both are owner of that wallet and access the funds by submitting the transaction. Any one of owner can submit the transaction to that wallet. After transaction is approved by both the owner it can be executed.
But on one can see the data of the transaction submitted by one of the owner. It is only able to approve. So it could be possible that one owner maliciously submit the transaction and do the manipulations to second owner and approve the transaction and then execute it.

Impact

One of the owner can steal all the fuds of another owner by submitting a malicious transaction.

Proof of Concept

Suppose there are two owner `user1` and `user2`.
one of the owner submit the transaction to him/her self for all the funds stored in wallet, Then he/she manipulate second owner and maliciously approve the transaction and steal all the money of another owner.
Proof Of Code:
Add this to created `testMultiSigWallet.t.sol` file.
Test the `testOneOwnerCanStealTheFunds` function.
```javascript
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;
import {Test, console} from "forge-std/Test.sol";
import {MultiSigWallet} from "../src/MultiSig.sol";
contract testMultiSig is Test {
MultiSigWallet multiSig;
address owner1 = makeAddr("owner1");
address owner2 = makeAddr("owner2");
function setUp() public {
multiSig = new MultiSigWallet(owner1, owner2);
vm.deal(owner1, 2e18);
vm.deal(owner2, 2e18);
vm.prank(owner1);
payable(address(multiSig)).call{value: 1e18}("");
vm.prank(owner2);
payable(address(multiSig)).call{value: 1e18}("");
}
function testGetBalanceOfContractAndOwners() public view {
assertEq(address(multiSig).balance, 2e18, "Contract balance should be 2");
assertEq(address(owner1).balance, 1e18, "Owner1 balance should be 1");
assertEq(address(owner2).balance, 1e18, "Owner2 balance should be 1");
}
function testUserHaveNotEnoughBalance() public {
address user = makeAddr("user");
vm.prank(owner1);
multiSig.submitTransaction(user, 3e18);
uint256 txId = 0;
vm.prank(owner2);
multiSig.approveTransaction(txId);
vm.prank(owner1);
multiSig.approveTransaction(txId);
vm.prank(owner1);
vm.expectRevert();
multiSig.executeTransaction(txId);
console.log("Balance Of user: ", user.balance);
console.log("Balance of owner1: ", owner1.balance);
}
function testOneOwnerCanStealTheFunds() public {
uint256 startingContractBalance = address(multiSig).balance;
vm.prank(owner1);
multiSig.submitTransaction(owner1, startingContractBalance);
vm.prank(owner1);
multiSig.approveTransaction(0);
//Now he/she do the manipulation to second owner to approve the transaction as he/she can not see the data of the transaction.
vm.prank(owner2);
multiSig.approveTransaction(0);
vm.prank(owner1);
multiSig.executeTransaction(0);
uint256 endingContractBalanec = address(multiSig).balance;
assertEq(endingContractBalanec, 0, "Contract balance should be 0");
console.log("Balance of owner1: ", owner1.balance);
}
}
```

Recommended Mitigation

Protocol should implement functionality to check or see the transaction data to both the owners.
Add this function in `MultiSigWallet` contract.
```javascript
function seeTransaction(uint256 _txId) external view onlyOwners returns (address, uint256, bool, bool, bool) {
Transaction memory txn;
if (_txId < transactions.length) {
txn = transactions[_txId];
}
return (txn.to, txn.value, txn.approvedByOwner1, txn.approvedByOwner2, txn.executed);
}
```
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.