DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing update to user balance

ciphermalware

Summary

The contract LikeRegistry.sol requires at least that users send 1 ETH when calling the likeUser function, however, it doesn't update the userBalances mapping with the deposited ammount. Because of this, all the ETH sent by the users is not properly recorded, which leads to mismanaged funds and has the potential of locking the deposited funds within the contract.

Vulnerability Details

In the likeUser function, users must send a minimum of 1 ETH to perform a like, but the contract doesn't add the sent value to the userBalances mapping. The matchRewards function later on tries to calculate rewards based on the balances of the matched users by reading userBalances[from] and userBalances[to]. Since these balances are never updated, they remain at 0, which results in a reward calculation of 0

Impact

Basically the failure to update user balances ends up with a situation where funds are permanently locked in the contract which causes a loss to the users

Recommendations

First of all and most importantly I would modify likeUser function to update the userBalances mapping with the deposited ETH.

Like so:

function likeUser(address liked) external payable {
require(msg.value > = 1 ether, "Must send at least 1 ETH");
// Update user balance with the deposited ETH
userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.