DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Denial Of Service `MultiSigWallet` not accessible to users.

denniswambua

Summary

Once users match, a MultiSigWallet is created with the two users address, where they can access the funds. This MultiSigWallet address is not saved anywhere. The user wont be able to interact with the wallet.

Vulnerability Details

In LikeReistry::matchRewards a new MultiSigWallet is created with the two users addresses but it is not saved. The matched users can't access the wallet as they don't have the address.

Impact

Matched users are unable to access MultiSigWallet as they can't see the contract address.

Tools Used

function testMatchReward() public {
vm.deal(user, 2 ether);
vm.deal(user2, 2 ether);
vm.prank(user);
likeRegistry.likeUser{value: 1 ether}(address(user2));
vm.prank(user2);
likeRegistry.likeUser{value: 1 ether}(address(user));
vm.prank(user2);
assertEq(likeRegistry.getMatches()[0], address(user), "User should be matched");
// How do we access the wallet without address
// this deploys a new wallet.
MultiSigWallet multiSigWallet = new MultiSigWallet(user, user2);
assertEq(address(multiSigWallet).balance, 1.8e18);
}

Recommendations

  1. Emit an event with the wallet address after sending eth to the wallet.

emit LikeRegistry_MatchRewardsEvent(address(multiSigWallet), from, to)

  1. Add wallet registry in LikeRegistry contract that tracks the users and wallets.

Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.