DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

There is no easy way to retrieve the address of the Multisig after a match

f3d0ss

Summary

The current implementation emits a Matched event that only includes the two matched users' addresses, while the deployed multisig wallet address is not captured. This oversight makes it difficult to retrieve or verify the address of the multisig wallet contract created during the match process.

Vulnerability Details

When a mutual like is detected, the contract deploys a new MultiSigWallet for the matched users and forwards the match rewards there. However, the Matched event only takes two parameters (user1 and user2), providing no reference to the multisig wallet address. Consequently, off-chain systems or administrators lack an easy way to track, validate, or interact with the deployed multisig wallet for the match.

Impact

  • Lack of Transparency: External observers or off-chain applications cannot easily retrieve or verify the multisig wallet address associated with a match.

  • Auditing Difficulties: Tracking funds and cross-referencing events becomes harder as the multisig wallet address is not logged.

  • Operational Overhead: Without an easy method to identify the multisig wallet, manual intervention or additional on-chain queries may be required, affecting user trust or causing delays in fund management.

Tools Used

  • Manual Code Inspection

Recommendations

  • Modify the Matched Event: Update the event definition to include the multisig wallet address. For example:

- event Matched(address indexed user1, address indexed user2);
+ event Matched(address indexed user1, address indexed user2, address multisigWallet);

  • Update the likeUser Function: After deploying the MultiSigWallet in the matchRewards function, emit the Matched event with the new multisig wallet address included:

function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
- emit Matched(msg.sender, liked);
- matchRewards(liked, msg.sender);
+ address multisig = matchRewards(liked, msg.sender);
+ emit Matched(msg.sender, liked, multisig);
}
}
- function matchRewards(address from, address to) internal {
+ function matchRewards(address from, address to) internal returns(address) {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
+ return address(multiSigWallet);
}
Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.