DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

[H-2] In `LikeRegistry::matchRewards`, the address of the multi-signature wallet is not tracked, leading to a loss of user funds

kagen

Description: In LikeRegistry::matchRewards, once the reward totals for two users are calculated, a multi-signature wallet is created for the users. The reward total is then transferred to the multi-signature wallet, intended for the two users to use on a date. However, the address of the multi-signature wallet is not tracked or communicated to the users. As a result, user funds are effectively lost since the users are unaware of how to access the multi-signature wallet.

function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
// @audit - This is not being stored or communicated back to the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}

Impact: A total breakdown of the protocol and loss of funds since users can't use the multi-signature wallet for their date.

Recommended Mitigation: Emit an event with the wallet address.

Add the following event to the LikeRegistry contract:

+ // Event to notify wallet creation
+ event MultiSigWalletCreated(
+ address indexed wallet,
+ address indexed owner1,
+ address indexed owner2,
+ uint256 initialBalance
+ );

Emit the event in LikeRegistry::matchRewards:

function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
+ // Emit event for wallet creation
+ emit MultiSigWalletCreated(
+ address(multiSigWallet),
+ from,
+ to,
+ rewards
+ );
}
Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.