DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

No Tracking of Created MultiSig Wallet for matched Users which can cause loss of funds

roccomania

Summary

The MultiSig wallet created during mutual matches is not tracked, and no event is emitted.

Vulnerability Details

The LikeRegistry::matchRewards function deploys a new MultiSig wallet but does not store its address or emit an event. This makes it difficult to track or interact with deployed MultiSig wallets.

function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from]; //@audit-issue it will always be zero, not added in likeUser() -ref: A1
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
@> MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}

Impact

  • Lack of tracking for MultiSig wallets limits transparency and usability.

  • Users and the contract owner cannot easily monitor or interact with deployed wallets.

  • Potential loss of funds if users cannot track where their funds are being transferred to

Tools Used

  • Manual code review.

Recommendations

Add a mapping or array to track deployed MultiSig wallets or emit an event. With this resolution, we will emit an event.

+ event MultiSigDeployed(address indexed user1, address indexed user2, address multiSigWallet);
function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
+ emit MultiSigDeployed(from, to, address(multiSigWallet));
(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.