DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: high

Invalid

# The `MultiSigWallet::submitTransaction` contract does not explicitly return a transaction number.

just

The `MultiSigWallet::submitTransaction` contract does not explicitly return a transaction number.

Description

The user who will create money transfers will not obviously know what ID his transfer has.

The transaction ID will be returned after the function is called.

function submitTransaction(

address _to,

uint256 _value

) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

transactions.push(Transaction(_to, _value, false, false, false));

@> uint256 txId = transactions.length - 1;

emit TransactionCreated(txId, _to, _value);

}

Risk

Every time the user will call the function and not receive the ID under which his transaction is reserved, which he needs to confirm later. Not every user has technical skills and will be able to read the code that transactions will be stored in an array.

Impact:

After creating a transaction request, the user will call the following function for confirmation at number 1. But his ID will be at number 0. Bad user experience and not a friendly application at all.

Proof of Concept

The user creates a transaction and goes to confirm it by calling id 1.

The test passes.

Ran 1 test for test/testMultiSig.t.sol:MultiSigWalletTest
[PASS] testSumbitTransaction() (gas: 90351)
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 325.13µs (64.46µs CPU time)

function testSumbitTransaction() public {

vm.startPrank(user);

wallet.submitTransaction(user1, 1e18);

vm.expectRevert("Invalid transaction ID");

wallet.approveTransaction(1);

vm.stopPrank();

}

Recommended Mitigation

Add index return to improve user experience.

function submitTransaction(

address _to,

uint256 _value

- ) external onlyOwners {

+ ) external onlyOwners returns (uint256)

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

transactions.push(Transaction(_to, _value, false, false, false));

uint256 txId = transactions.length - 1;

emit TransactionCreated(txId, _to, _value);

+ return txId;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 7 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!