DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Multisig Wallet Tracking, Leading to Poor Usability

kvltbyte

Summary

The LikeRegistry contract deploys a new MultiSigWallet for each mutual match but fails to provide a straightforward way for users to retrieve the address of the multisig wallet associated with their match. While the state can be read directly from the blockchain, the lack of a user-friendly mechanism to track and retrieve multisig wallet addresses creates a poor user experience.

Vulnerability Details

Root Cause:

When a mutual match occurs, the matchRewards function deploys a new MultiSigWallet but does not store or provide a simple way to retrieve its address. Although the multisig wallet address can technically be read from the blockchain (e.g., by parsing events or transaction logs), this requires significant effort and technical expertise, which most users lack.
Example Scenario:

  1. User A and User B mutually like each other, triggering the matchRewards function.

  2. A new MultiSigWallet is deployed for A and B, and ETH is sent to it.

  3. User A wants to interact with the multisig wallet but cannot easily retrieve its address because the contract does not provide a helper function to do so.

Impact

  1. Poor User Experience: Users cannot easily retrieve the address of the multisig wallet associated with their match, making it difficult to interact with the matched funds.

  2. Increased Complexity: Users must rely on off-chain tools or manually parse blockchain data to retrieve the multisig wallet address, which is not practical for non-technical users.

  3. Reduced Trust in the Protocol: The lack of a user-friendly mechanism to track multisig wallets may lead to frustration and loss of trust in the protocol.

Recommendation

To address this issue, implement a helper function that allows users to easily retrieve the multisig wallet address for a specific match, regardless of the order in which the addresses are provided.

  1. Step 1: Add a Mapping to Track Multisig Wallets

Store the address of each deployed multisig wallet in a mapping, using the matched users’ addresses as the key:

mapping(address => mapping(address => address)) public multisigWallets;

  1. Step 2: Update matchRewards to Track Wallets

Modify the matchRewards function to store the multisig wallet address in the mapping for both combinations ([user1][user2] and [user2][user1]):

function matchRewards(address from, address to) internal {
// ... existing code ...
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
multisigWallets[from][to] = address(multiSigWallet);
multisigWallets[to][from] = address(multiSigWallet);
// Emit an event with the multisig wallet address
emit Matched(from, to, address(multiSigWallet));
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}

  1. Step 3: Add a Helper Function for Retrieval

Provide a function for users to retrieve the multisig wallet address for a specific match, handling both combinations of addresses:

function getMultisigWallet(address user1, address user2) external view returns (address) {
return multisigWallets[user1][user2] != address(0)
? multisigWallets[user1][user2]
: multisigWallets[user2][user1];
}

  1. Step 4: Emit an Event for Transparency

Emit an event when a multisig wallet is created:

event Matched(address indexed user1, address indexed user2, address multisigAddress);
Updates

Appeal created

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.