Incorrect Reward Calculation Due to Shared User Balances in matchRewards()
Summary
The LikeRegistry.sol::matchRewards() function incorrectly calculates rewards when a user has liked multiple users. This can lead to improper reward distribution and unintended fund allocation.
Vulnerability Details
The contract uses a single userBalances mapping (mapping(address => uint256)) to track deposited ETH per user. However, users can like multiple profiles, increasing their balance without tracking who the ETH was meant for.
Consider the following scenario:
-
Alice likes Bob → deposits 1 ETH
-
Alice likes Josh → deposits 1 ETH
userBalances[Alice] = 2 ETH
-
Bob likes Alice back → match triggers
matchRewards(Alice, Bob)matchRewardsassumes Alice’s entire balance (2 ETH) belongs to BobIncorrect
totalRewards = 3 ETH(instead of expected 2 ETH - fees)
This flaw misallocates funds, leading to incorrect transfers to the wrong multisig wallet and potential fund mismanagement.
Impact
Users' ETH gets miscalculated and sent incorrectly.
Matched users may receive ETH that belongs to an unrelated pending match.
Other users may lose their deposited ETH unfairly.
Tools Used
Manual review
Recommendations
Upgrade the userBalances mapping in the LikeRegistry.sol to a nested one. This ensures deposits are tracked per liked user, preventing unrelated funds from being included in a match.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.