Excessive Gas Costs and State Bloat Due to Repeated MultiSigWallet Deployment
Summary
The contract deploys a new MultiSigWallet instance every time two users are matched, leading to excessive gas costs, state bloat, and unnecessary contract management overhead.
Vulnerability Details
Each time matchRewards is called, a new MultiSigWallet contract is deployed for the matched users. This results in:
High gas costs** due to repeated contract deployments.
Increased state size, leading to long-term inefficiencies on-chain.
User experience issues, as users need to manage multiple MultiSig wallets.
Potential fund loss scenarios, where a lost private key makes the funds in that MultiSig permanently inaccessible.
Impact
Gas inefficiency significantly increases transaction costs, making the system unsustainable for frequent matches.
On-chain storage bloat leads to higher fees for all users interacting with the contract.
Difficult fund recovery if a user loses access to one of their MultiSig wallets.
Denial of Service (DoS) risk if contract creation costs become prohibitively expensive.
Tools Used
Menual review
Recommendations
Use a single MultiSigWallet per user pair instead of deploying a new instance every time.
Implement an on-chain escrow system to manage funds instead of individual MultiSig wallets.
Consider using ERC-4337 account abstraction for a more gas-efficient multi-signature mechanism.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.