DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Mapping for Tracking Submitted Transactions

gojo

Summary: The contract MultiSig.sol stores transactions in an array (Transaction[] public transactions), meaning each transaction is indexed by its position in the array (txId). This works fine as long as users can correctly track their transaction IDs, don’t accidentally approve or execute the wrong transaction, and have an efficient way to retrieve pending transactions. It introduces serious usability, tracking, and potential operational risks that could indirectly lead to financial losses.

Impact: There is a risk of human error, due to owners must manually track transaction IDs. e.g.: An owner wants to approve a specific transaction but mistakenly provides the wrong txId. Attacker could exploit this by spamming the contract with fake or small transactions, causing the transaction list to grow rapidly and making it hard for owners to track legitimate requests, and also gas could become expensive.

Recommended Mitigation: Consider adding transaction tracking mappings like ownerTransactions and pendingTransactions, and push the txId with respect to the owner, like:

mapping(address => uint256[]) public ownerTransactions; // Stores all transaction IDs created by owner.

mapping(address => uint256[]) public pendingTransactions; // Stores only unexecuted transaction IDs for owner.

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

transactions.push(Transaction(_to, _value, false, false, false));

uint256 txId = transactions.length - 1;

ownerTransactions[msg.sender].push(txId); // Track by owner

pendingTransactions[msg.sender].push(txId); // Track pending transactions

emit TransactionCreated(txId, _to, _value);

}

Now owners can retrieve their transactions correctly:

function getOwnerTransactions(address owner) external onlyOwners view returns (uint256[] memory) {

return ownerTransactions[owner];

}

function getPendingTransactions(address owner) external onlyOwners view returns (uint256[] memory) {

return pendingTransactions[owner];

}

Updates

Appeal created

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.