DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Inaccessible MultiSig Wallets for Matched Users

icon0x

Summary

Vulnerability Details

When users match through mutual likes, the contract creates a MultiSig wallet but fails to record its address, making it impossible for matched users to access their funds or interact with the wallet.

Impact

Users cannot access or manage their matched funds

Tools Used

Manual Review

Recommendations

Implement a mapping to track MultiSig wallets:

+ mapping(address => mapping(address => address)) public mutualMultiSigWallets;
function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from]; // user from balance is zero: 0
uint256 matchUserTwo = userBalances[to]; // user to balance is zero: 0
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
+ mutualMultiSigWallet[from][to] = address(multiSigWallet);
+ mutualMultiSigWallet[to][from] = address(multiSigWallet);
// Send ETH to the deployed multisig wallet
(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}
Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.