User balances are not updated, leading to loss of funds
Users pay 1 ETH to "like" another user. The contract expects msg.value >= 1 ether when calling function likeUser
, however the mapping userBalances
is never updated. The ETH is lost and can never be recovered, since
1) The contract reads from userBalances
in function matchRewards
to pool the payments into the shared multisig wallet. userBalances
is zero, so no funds will be sent.
2) there is no function to recover ETH.
Users lose their funds, the multisig wallet receives zero ETH, no fees accrue
Foundry
Include userBalances[msg.sender] += msg.value;
in function likeUser
Likelihood: High, always. Impact: High, loss of funds
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.