When a mutual like is detected, matchRewards deploys a new MultiSigWallet contract for the matched pair. However, the address of this newly deployed wallet is never emitted in an event, nor is it stored in any mapping. After the transaction completes, neither user has any way to discover the address of their shared multisig wallet without manually parsing the transaction's internal traces.
The Matched event is emitted in likeUser before matchRewards is called, so it cannot include the wallet address. The matchRewards function itself emits no events.
Likelihood:
This affects every single match. The wallet address is created but never communicated.
Impact:
Low direct financial impact, but severely impacts usability. Users must use block explorers and trace analysis to find their multisig wallet address.
This test shows that after Alice and Bob match, there is no public mapping, getter, or emitted event containing the deployed MultiSig wallet address. The only way to find it is by tracing internal transactions off-chain.
Store the MultiSig address and/or emit it in the match event.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.