Users lose their ETH if no match happens
Summary
Users pay 1 ETH to "like" another profile. If the like is mutual (a match), all payments are pooled into a shared multisig wallet. However, if no match happens, the ETH is unrecoverable.
Vulnerability Details
By calling function likeUser, users express interest in another user and send > 1 ETH to the contract. If a match happens, these ETH are sent to a multisig wallet. However, if no match happens, that ETH is lost, since no function exists to recover paid ETH.
Impact
Users lose their ETH
Tools Used
Foundry
Recommendations
Include a function to recover sent ETH, e.g.
To prevent abusing likeUser by liking every other user and then simply withdrawing all ETH, the mapping likes should be deleted as well.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.