Users Lose 1 ETH Permanently if Their Like is Not Reciprocated
Summary
Users who send 1 ETH to like another profile will permanently lose their funds if the other user does not like them back. There is no refund mechanism, meaning ETH remains locked in the contract without any way to reclaim it. This creates an unfair financial risk and discourages participation.
Vulnerability Details
In the likeUser function, users are required to send at least 1 ETH to like another profile. However, if the liked user does not like back (either due to lack of interest or insufficient funds), the sender’s ETH remains locked in the contract with no way to reclaim it.
Steps to Reproduce:
User A calls
likeUser(likedUser)and sends 1 ETH.User B does not respond (either lacks funds or is uninterested).
The ETH is permanently lost as there is no refund mechanism.
Impact
Unfair financial risk for users who like profiles but don’t get matched.
Discourages participation, as users may hesitate to like profiles due to the risk of losing ETH.
Creates an unintended financial sink, where ETH accumulates in the contract without serving its purpose.
Tools Used
Manuel Review
Recommendations
Refund Mechanism: Allow users to withdraw their ETH if their like remains unmatched after a certain period.
Escrow System: Store ETH in escrow and only deduct funds when a match occurs.
Appeal created
Informational or Gas
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.