DatingDapp

Summary

A vulnerability has been identified in the LikeRegistry contract where the funds sent with the likeUser function are not recorded in the userBalances mapping. This oversight results in zero balances during the reward distribution process in the matchRewards function, effectively nullifying any intended reward.

Vulnerability Details

In the likeUser function, users are required to send at least 1 ETH when liking another user. However, while the function enforces the ETH payment via require(msg.value >= 1 ether, "Must send at least 1 ETH"), it fails to update the userBalances mapping with the received funds. This means that the ETH sent by the user is not attributed to their balance. Consequently, when a mutual like occurs and the matchRewards function is called, it retrieves zero values for both users from userBalances. The reward calculation then subtracts the fixed fee from a total of zero, resulting in no rewards being distributed, even though funds were sent.

Impact

• Financial Loss for Users: Users who send ETH expecting a reward upon a match will not receive any rewards, leading to potential financial loss or dissatisfaction.

Tools Used

• Manual Code Review

Recommended Mitigation

• Update the likeUser Function: Modify the function to properly update the userBalances mapping by adding the received ETH value to the sender's balance. For example, include the following line after the initial validations:

  userBalances[msg.sender] += msg.value;

• Verify Balance Management: Ensure that the funds are correctly managed and that subsequent functions (like matchRewards) use the updated balances to calculate and distribute rewards accurately.

• Testing: Perform thorough testing, including unit tests and integration tests, to verify that the reward mechanism functions as intended after the update.