DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

`MultiSig::submitTransaction` lacks balance check, allowing transaction with any amount to be submitted

marcoroccon

Description:

MultiSig::submitTransaction does not check whether the amount of the submitted transaction is lower or equal to the balance of the MultiSig.

Impact:

Owners of the MultiSig can submit transactions with any amount, regardless of the actual funds available in the smart contract. The transaction will ultimately fail when calling MultiSig::executeTransaction, as there will not be enough funds. However, this behavior should be avoided to limit unnecessary updates to the MultiSig::transactions array, which is usually a gas-intensive operation.

Tools used

Manual review

Recommended mitigation

Add a check at the top of the MultiSig::submitTransaction function which will make sure that the _value parameter does not exceed the currently available funds in the contract.

function submitTransaction(address _to, uint256 _value) external onlyOwners {
if (_to == address(0)) revert InvalidRecipient();
- if (_value == 0) revert InvalidAmount();
+ if (_value == 0 || _value > address(this).balance) revert InvalidAmount();
transactions.push(Transaction(_to, _value, false, false, false));
uint256 txId = transactions.length - 1;
emit TransactionCreated(txId, _to, _value);
}
Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.