Submission Details
Severity:
Missing Balance Update in LikeUser Function
Summary
The likeUser function in the LikeRegistry contract has a critical flaw where it accepts ETH payments from users but fails to update their balances in the userBalances mapping.
Vulnerability Details
function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
// Missing balance update here <-- CRITICAL ISSUE
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Impact
-
Users send ETH but their balances aren't recorded
-
When matches occur, the
matchRewardsfunction sees 0 balances -
Users lose their invested ETH as it's stuck in the contract
-
The entire matching reward system breaks down
Recommendations
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
// Update balance first
+ userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
emit UserBalanceUpdated(msg.sender, userBalances[msg.sender]);
if (likes[liked][msg.sender]) {
_processMatch(msg.sender, liked);
}
}
Updates
Appeal created
n0kto 3 months ago
Submission Judgement Published Assigned finding tags:
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.