Overpayment Issue in likeUser Function
Summary
The likeUser function requires at least 1 ETH, but it does not prevent users from sending more. Any excess ETH is not refunded, leading to potential loss of funds.
Vulnerability Details
The likeUser function requires users to send at least 1 ETH (msg.value >= 1 ether). However, there is no upper limit or refund mechanism if a user accidentally overpays (e.g., sends 2 ETH instead of 1 ETH).
Since the contract does not return excess funds, any additional ETH is permanently locked in the contract, leading to potential fund loss for users.
Impact
User Funds Loss – Any ETH sent above 1 ETH is lost forever. If a user mistakenly sends 10 ETH instead of 1 ETH, they will never get the excess 9 ETH back.
Exploitable by Malicious Contracts – Bots or attackers could trick users into overpaying without any way to recover funds.
Poor User Experience – There is no incentive or refund for overpaying, making it unfair to users who mistakenly send more ETH.
Tools Used
Manuel Review
Recommendations
Strictly enforce the exact required ETH amount:
require(msg.value == 1 ether, "Must send exactly 1 ETH");
This ensures users cannot overpay and prevents unnecessary fund loss.
Appeal created
Users mistake, only impacting themselves.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.