DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

matchRewards() Deploys a MultiSigWallet, but does not store or emit its address.

preslavpetkov93

Summary

Scope: src/LikeRegistry.sol

The contract does not track or expose the address of the MultiSigWallet created when two users mutually like each other. Users have no way to retrieve the address of their multisig wallet, making it impossible to interact with their locked funds.

Vulnerability Details

Affected Function:

matchRewards(): Deploys a MultiSigWallet but does not store or emit its address.

Root Cause:

The MultiSigWallet address is generated dynamically during deployment but not recorded in the contract’s state or emitted in an event.
Users cannot programmatically determine where their rewards are sent, leading to a lack of transparency and usability.

Impact

Lost Funds: Users cannot access their rewards in the multisig wallet because they don’t know its address.
Poor User Experience: Users must manually track transaction logs or deployments to find the wallet address, which is impractical.

Tools Used

Manual code review.

Recommendations

Fix: Track and Expose MultiSig Addresses

Emit an Event with the Wallet Address:
Add an event to log the multisig wallet address when it’s deployed:

event MultiSigDeployed(address indexed user1, address indexed user2, address indexed wallet);

Store the Address in a Mapping:
Track the multisig wallet for each user pair to prevent redundant deployments and allow lookups:

mapping(address => mapping(address => address)) public pairToMultiSig;

Update matchRewards():
Modify the function to store and emit the wallet address:

function matchRewards(address from, address to) internal {

// ... existing logic ...

// Deploy or reuse existing multisig

address multiSigAddress = pairToMultiSig[from][to];

if (multiSigAddress == address(0)) {

MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);

multiSigAddress = address(multiSigWallet);

pairToMultiSig[from][to] = multiSigAddress;

pairToMultiSig[to][from] = multiSigAddress; // Symmetric entry

emit MultiSigDeployed(from, to, multiSigAddress); //emit the wallet address

}

// Send ETH to the multisig

(bool success, ) = payable(multiSigAddress).call{value: rewards}("");

require(success, "Transfer failed");

}

Add a helper function to fetch the multisig address for a given pair:

function getMultiSig(address user1, address user2) external view returns (address) {

return pairToMultiSig[user1][user2];

}

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.