DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

MultiSig.submitTransaction allows value greater than the wallet balance, polluting the transaction list with permanently un-executable entries

sub99

`submitTransaction` does not check value against balance, allowing un-executable transactions

Description

MultiSigWallet.submitTransaction (lines 41-48) validates only that _to is nonzero and _value is nonzero; it never checks _value <= address(this).balance. An owner can queue transactions that can never execute, since executeTransaction will revert at the low-level call when the wallet lacks funds.

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

// @> no check that _value <= address(this).balance

transactions.push(Transaction(_to, _value, false, false, false));

Risk

Likelihood: Low. Requires an owner to submit a transaction exceeding the wallet balance, whether by mistake or to grief the co-owner.

Impact: Low. The transaction list (transactions) is polluted with entries that will always revert in executeTransaction (lines 75-76, where payable(txn.to).call{value: txn.value} fails on insufficient balance). Co-owners may waste an approval on a doomed transaction and the unbounded array grows with dead entries. No funds are lost, but it degrades usability and wastes gas.

Proof of Concept

Submit a transaction for more than the wallet holds and show it can never execute.

function test_unexecutableTxAccepted() public {

// wallet holds 1 ether

vm.prank(a);

wallet.submitTransaction(a, 100 ether); // accepted despite low balance

vm.prank(a); wallet.approveTransaction(0);

vm.prank(b); wallet.approveTransaction(0);

vm.prank(a);

vm.expectRevert("Transaction failed"); // call reverts on insufficient funds

wallet.executeTransaction(0);

}

Recommended Mitigation

Validate the requested value against the current balance at submit time.

function submitTransaction(address _to, uint256 _value) external onlyOwners {

if (_to == address(0)) revert InvalidRecipient();

if (_value == 0) revert InvalidAmount();

+ if (_value > address(this).balance) revert InvalidAmount();

transactions.push(Transaction(_to, _value, false, false, false));

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!