DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: medium

Invalid

Missing Balance Check in MultiSig submitTransaction

muzammilmohammed678

Root + Impact

Description

The `submitTransaction()` function in the MultiSig contract does not validate that the requested `_value` is less than or equal to the contract's current balance. Users can submit transactions for amounts that exceed the available balance, which will always fail when executed, wasting gas and creating invalid transaction entries.

```solidity

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

// @> Missing: require(_value <= address(this).balance, "Insufficient balance");

transactions.push(Transaction(_to, _value, false, false, false));

uint256 txId = transactions.length - 1;

emit TransactionCreated(txId, _to, _value);

}

```

### Root Cause

The function validates that the value is not zero and the recipient is not zero, but doesn't check if the contract has sufficient funds to execute the transaction.

Risk

Likelihood:

* Users may miscalculate available balance

* Users may submit transactions before understanding the contract balance

* This will occur whenever a transaction is submitted for more than the available balance

Impact:

* Invalid transactions are created that will always fail

* Gas wasted on failed execution attempts

* Poor user experience with unclear failure reasons

* Transaction array grows with invalid entries

Proof of Concept

```solidity

// Multisig has 1 ETH

// User submits transaction for 2 ETH

multiSig.submitTransaction(recipient, 2 ether);

// Transaction is created and approved

// Execution always fails with "Transaction failed"

// Gas wasted, invalid transaction remains in array

```

Recommended Mitigation

```diff

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

+ if (_value > address(this).balance) revert InsufficientBalance();

transactions.push(Transaction(_to, _value, false, false, false));

uint256 txId = transactions.length - 1;

emit TransactionCreated(txId, _to, _value);

}

```

Add the error definition:

```diff

contract MultiSigWallet {

error NotAnOwner();

error AlreadyApproved();

error NotEnoughApprovals();

error InvalidRecipient();

error InvalidAmount();

+ error InsufficientBalance();

// ...

}

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!