MultiSig Wallet Contract Created Without Storage Reference, Leading to Inaccessibility and Loss of Funds
Summary
The LikeRegistry contract creates a new MultiSigWallet for each matched user pair in the matchRewards function. However, the contract address is not stored, making it impossible for users to retrieve or interact with their MultiSigWallet instance. As a result, any ETH sent to the contract becomes permanently locked and inaccessible, leading to a complete loss of funds for the users.
Vulnerability Details
In LikeRegistry.sol, the matchRewards function creates a new MultiSigWallet contract for the two matched users:
PoC
Steps to Reproduce the Issue:
Alice likes Bob, and Bob likes Alice back, triggering a match.
-
The
matchRewardsfunction:Creates a new
MultiSigWallet.Sends ETH rewards to it.
-
The address of the
MultiSigWalletis not stored anywhere. -
Alice and Bob cannot interact with the wallet to approve or withdraw funds.
Impact
Users permanently lose access to their funds.
MultiSigWallet becomes unusable.
ETH sent to the wallet becomes inaccessible forever.
Tools Used
Manual review
Recommendations
To prevent this, store the created MultiSigWallet address in a mapping, allowing users to retrieve and interact with it.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.