Submission Details
Impact:
Likelihood:
Matched Users Cannot Access Their Multisig Wallet.
Root + Impact
A multisig is created:
https://github.com/CodeHawks-Contests/2025-02-datingdapp/blob/878bd34ef6607afe01f280cd5aedf3184fc4ca7b/src/LikeRegistry.sol#L62
but its address is never stored. No mapping exists mapping(address => address) userWallet; as such No event emits the wallet address, emit MatchCreated(...) does not exist.
Description
The wallet becomes effectively undiscoverable from contract state. Users cannot carry out operations in the MultiSig contract such as:
submitTransaction()
approveTransaction()
executeTransaction()
because they do not know which wallet belongs to them.
The protocol deploys wallets that users cannot reasonably interact with.
// Root cause in the codebase with @> marks to highlight the relevant section
Risk
Likelihood:
Highly Likely.
Impact:
A Core protocol functionality of the protocol becomes unusable.
Proof of Concept
After Users are matched they still are unable to access their wallet.
function test_matchedUsers() public {
vm.startPrank(user); // Simulates user calling the function
soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");
vm.stopPrank();
vm.startPrank(user2);
soulboundNFT.mintProfile("james", 35, "ipfs://profileImage2");
vm.stopPrank();
vm.startPrank(user2);
vm.expectRevert();//this automatically reverts
soulboundNFT.submitTransaction(user2, 1e18);
vm.stopPrank();
.........
Recommended Mitigation
A mapping could be created to hold wallets for matched users.
mapping(address => address) userWallet; + add this code
or
mapping(bytes32 => address) matchWallet; + add this code
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.