DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

MultiSig: Inability for Owners to Revoke Previously Approved Transactions

jayp

Summary

The contract does not provide a mechanism for owners to revoke their approvals once given. After either owner has approved a transaction, that approval is locked in, and there is no way to change their decision prior to execution.

Vulnerability Details

Irrevocable Approval Flow:
- When approveTransaction is called, the approval is permanently set to true for the respective owner.
- The contract does not allow the owner to revert or withdraw this approval, even if the transaction parameters or the context have changed.
Stale or Incorrect Transaction Risk:
- If an owner discovers an error or changes their mind about the transaction, there is no built-in method to reject it once they have already approved.
Lack of Fallback Mechanism:
- A standard practice in multi-signature wallets is to allow signers to revoke approvals to prevent execution of out-of-date or incorrect transactions. This contract lacks that capability.

Impact

Owner Inflexibility: Owners have to remain vigilant and only approve when they are absolutely certain. Once approved, there is no “undo” button.
Potential Funds Risk: If a transaction is eventually recognized as incorrect or malicious after one owner approves, the other owner has to withhold their own approval indefinitely. This can be cumbersome or risky if miscommunication happens between owners.

Tools Used

Manual Code Inspection: Identified that there is no function or logic to set the approvedByOwnerX fields back to false.
Static Analysis: Tools like Slither can highlight missing features or identify code sections that never revert state changes.

Recommendations

Add a “Revoke Approval” Function:
function revokeApproval(uint256 _txId) external onlyOwners {
require(_txId < transactions.length, "Invalid transaction ID");
Transaction storage txn = transactions[_txId];
require(!txn.executed, "Transaction already executed");

if (msg.sender == owner1 && txn.approvedByOwner1) {
txn.approvedByOwner1 = false;
} else if (msg.sender == owner2 && txn.approvedByOwner2) {
txn.approvedByOwner2 = false;
}
}
- This ensures owners can revert their approvals if they notice an issue before execution.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.