M-01. ExecuteTransaction haven't check balance
Summary
In the MultiSigWallet contract, the executeTransaction() function does not verify whether the contract has sufficient balance to execute the transaction. This can result in failed transactions, wasting gas fees.
Vulnerability Details
When executing a transaction in executeTransaction(), there is no check to confirm that the contract's balance is enough to cover the transaction value. As a result, if the contract does not have enough ETH, the transaction will fail, but the gas spent on the transaction will still be consumed.
Impact
Users may lose gas fees due to failed transactions.
Contract execution may fail unpredictably if there isn't enough balance, which can cause a poor user experience.
Increased risk of unintentional errors if there are multiple pending transactions.
Tools Used
Manual code review
Static analysis tools
Recommendations
-
Add a balance check to the
executeTransaction()function to ensure that the contract has enough ETH before attempting the transaction:require(address(this).balance >= txn.value, "Insufficient contract balance"); -
After adding the balance check, re-test the contract to verify that transactions are executed successfully only when the contract has enough funds to complete them.
Appeal created
Users mistake, only impacting themselves.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.