DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

The `MultiSig` contract can receive any amount of funds without any validations

sparrowblck

[M-2] Summary

The MultiSig contract can receive any amount of funds without any validations

Vulnerability Details

The MultiSig contract has a receive function, which can receive any amount of funds. There are no validations in place, which would allow inadvertent deposits. This isn't aligned with the main purpose of the contract.

Impact

High impact - funds could be stuck in the contract, or sent to unwanted recipients. Low likelihood - the sender would need to specifically select the MultiSig contract address.

Tools Used

Manual review.

Recommendations

Have an explicit function to deposit funds into the contract, or even be sent the desired ETH during the contract creation. This is also the moment in which the intended funds are currently transferred to the contract. The simplest way is to make the constructor payable:

- constructor(address _owner1, address _owner2) {
+ constructor(address _owner1, address _owner2) payable {
require(
_owner1 != address(0) && _owner2 != address(0),
"Invalid owner address"
);
require(_owner1 != _owner2, "Owners must be different");
owner1 = _owner1;
owner2 = _owner2;
}
- receive() external payable {}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.