DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Title: Lack of Visibility for multisigWallet Address in matchRewards() Leading to Potential Loss of Funds

Brute Force Bastards

Summary

The matchRewards() function in the LikeRegistry contract does not provide an accessible way for participants to obtain the multisigWallet address, which is essential for fund distribution. Since the multisigWallet is responsible for managing the financial transactions between matched users, its address is a critical piece of information. However, the contract currently does not explicitly expose this address to users, making it difficult for them to verify or interact with it without searching through blockchain explorers like Etherscan.

Vulnerability Details

When users are matched in LikeRegistry, they rely on matchRewards() to facilitate the distribution of funds via the multisigWallet. However, the contract does not provide a direct way for users to retrieve or verify the multisigWallet address. The only way to obtain this information is by manually searching through on-chain transactions on platforms like Etherscan. This process can be particularly challenging when transaction history is extensive, making it difficult for users to locate the correct contract address.

This lack of transparency can create confusion and delays in fund distribution, as users may struggle to determine where their funds are being sent and whether they have been properly matched. Since the multisigWallet address plays a crucial role in financial interactions, ensuring its visibility is essential for improving user experience and trust in the contract.

Impact

The absence of a clear way to obtain the multisigWallet address leads to unnecessary complexity for users. Participants who need to verify the contract’s legitimacy or interact with it directly may face difficulties in locating the correct address, potentially delaying the transaction process. This lack of transparency also increases the risk of errors, as users may inadvertently interact with the wrong contract due to misinformation or confusion.

Tools Used

Manual Audit

Recommendations

To improve accessibility and transparency, the contract should emit an event whenever matchRewards() is executed, explicitly providing the multisigWallet address to the matched participants. This allows users to easily retrieve the contract address from event logs rather than manually searching through transaction histories.

Updates

Appeal created

n0kto Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.