DatingDapp

First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Submission Details
Severity: high
Valid

User balances are not updated

Summary

User balances are not updated, leading to loss of funds

Vulnerability Details

Users pay 1 ETH to "like" another user. The contract expects msg.value >= 1 ether when calling function likeUser, however the mapping userBalances is never updated. The ETH is lost and can never be recovered, since

1) The contract reads from userBalances in function matchRewards to pool the payments into the shared multisig wallet. userBalances is zero, so no funds will be sent.

2) there is no function to recover ETH.

Impact

Users lose their funds, the multisig wallet receives zero ETH, no fees accrue

Tools Used

Foundry

Recommendations

Include userBalances[msg.sender] += msg.value; in function likeUser

Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.