DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Transaction Cancellation in MultiSigWallet.sol

edoscoba

Summary

The MultiSig contract lacks a mechanism for owners to cancel pending transactions after they have been submitted. This could lead to situations where outdated or unintended transactions remain indefinitely in the contract, potentially causing security or operational issues.

Vulnerability Details

Once a transaction is added to the transactions array, it cannot be removed or canceled.

Vulnerable Code

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

transactions.push(Transaction(_to, _value, false, false, false));

uint256 txId = transactions.length - 1;

emit TransactionCreated(txId, _to, _value);

}

Proof of Concept

Owner A submits a transaction to send 10 ETH to an address.
Owner B realizes the recipient address is incorrect or the transaction is no longer necessary.
Owner B has no way to remove it, leaving the incorrect transaction indefinitely pending unless approved.

Impact

No ability to revoke a mistakenly created transaction

Potential griefing vector: One owner A could submit a spam transaction, forcing the other owner B to either approve it or let it remain indefinitely
Blocked contract state: If too many transactions accumulate, owners may struggle to manage the contract efficiently

Tools Used

Manual review

Recommendations

Introduce a cancelTransaction(uint256 _txId) function that allows owners to revoke a pending transaction before execution.

function cancelTransaction(uint256 _txId) external onlyOwners {

require(_txId < transactions.length, "Invalid transaction ID");

Transaction storage txn = transactions[_txId];

require(!txn.executed, "Transaction already executed");

delete transactions[_txId];

emit TransactionCanceled(_txId);

}

Benefits of this fix:

Owners can remove unintended transactions.
Prevents accumulation of useless or incorrect pending transactions.
Ensures better operational flexibility.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.