DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

No Mechanism to Cancel Pending Transactions in MultiSig

muzammilmohammed678

Root + Impact

Description

The MultiSig contract allows owners to submit and approve transactions, but there's no mechanism to cancel pending transactions. Once a transaction is submitted, it remains in the array forever, even if both parties agree they no longer want to execute it. This creates unnecessary transaction history and potential confusion.

### Root Cause

The contract only provides `submitTransaction()`, `approveTransaction()`, and `executeTransaction()` functions, but no cancellation mechanism.

Risk

Likelihood:

* Users may change their minds about a transaction after submission

* Mistakes in transaction details may require cancellation

* This will occur when users want to cancel but cannot

Impact:

* Poor user experience - users cannot cancel unwanted transactions

* Transaction array grows with invalid/unwanted entries

* Potential confusion when reviewing transaction history

* No way to clean up the transaction array

Proof of Concept

```solidity

// User submits transaction with wrong recipient

multiSig.submitTransaction(wrongAddress, 1 ether);

// User realizes mistake

// No way to cancel - transaction remains forever

// Must wait for both approvals and then execute to wrong address, or leave it pending

```

Recommended Mitigation

```diff

+ function cancelTransaction(uint256 _txId) external onlyOwners {

+ require(_txId < transactions.length, "Invalid transaction ID");

+ Transaction storage txn = transactions[_txId];

+ require(!txn.executed, "Transaction already executed");

+ if (msg.sender == owner1) {

+ require(txn.approvedByOwner1, "Must be approved by you to cancel");

+ } else {

+ require(txn.approvedByOwner2, "Must be approved by you to cancel");

+ }

+ txn.executed = true; // Mark as executed to prevent further actions

+ emit TransactionCancelled(_txId, msg.sender);

+ }

+ event TransactionCancelled(uint256 indexed txId, address indexed cancelledBy);

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!