DatingDapp

Summary

When likes are matched there is a creation of MultiSigWallet contract thus all the previous payments of both users are transferred to the multisig. The issue could appear if one of the following scenarios:

1. One of the two owners is a smart contract with missing built-in logic to request the methods of the MultiSigWallet contract.

2. Irresponsible owner losing his private key.

3. Both owners never reaching consensus on how to spend the ETH inside the multisig.

Impact

Possible indirect funds lock for one of owners inside the MultiSigWallet contract.

Recommendations

1. Add isContract check inside method matchRewards in contract LikeRegistry. There is no danger contracts to bypass this check by executing logic from the their constructors, because of the nature of the matchRewards method - you have to be liked first in order to create MultiSigWallet contract inside your like likeUser transaction.

2. The MultiSigWallet contract to keep record of both owners payments and create emergency withdraw method in the case that one of the owner is locked. By executing the emergency withdraw the owner should be able to withdraw only his funds. There has to be additional modifier that blocks the execution of methods submitTransaction, approveTransaction & executeTransaction if one of two owners has already initiated the emergency withdraw of his funds.