DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Stuck ETH Due to Unreciprocated Likes in likeUser Function

rare__one

Summary

Vulnerability Details

The likeUser function in LikeRegistry.sol in the contract requires users to send 1 ETH when liking another user. However, if the liked user does not reciprocate the like, the ETH remains trapped in the contract indefinitely. There is no mechanism to refund the sender, resulting in a loss of funds for users who interact with the contract. Over time, this issue could lead to significant amounts of ETH being permanently locked, causing financial losses and damaging user trust.

Impact

Impact Analysis

Permanent Loss of Funds
- Users who send 1 ETH but do not receive a like in return will never get their ETH back, resulting in financial loss.
- Over time, as more users interact with the system, substantial amounts of ETH will accumulate in the contract with no way to retrieve it.
Negative User Experience and Reputation Damage
- Users expecting a fair system will feel misled and financially exploited, reducing trust in the platform.
- If users recognize that their ETH can be permanently lost, engagement with the platform will decrease.
Contract Becomes a Black Hole for ETH
- ETH sent in unsuccessful likes has no exit path, meaning funds accumulate indefinitely without any beneficiary.
- This violates good smart contract design principles, where every incoming ETH should have a clear recipient or refund mechanism.
Potential Exploitation for Financial Gain
- The contract deployer or malicious actors could artificially generate likes to trap ETH, exploiting unsuspecting users.
- If a user knows they will not reciprocate likes, they could profit indirectly from the vulnerability by encouraging others to like them.

POC

`Proof of Concept (PoC)`

Reproducing the Issue

User A attempts to like User B by sending 1 ETH:
User B does not like back.
User A cannot withdraw their ETH because no refund function exists.
ETH remains locked inside the contract permanently.

Test Result:

ETH is sent to the contract.
If likes[userB][userA] remains false, there is no function allowing userA to withdraw their ETH.
The contract retains all ETH without any exit strategy.

Tools Used

manual review

Recommendations

1. Implement a Refund Mechanism

Introduce a function allowing users to withdraw their 1 ETH if the liked user does not reciprocate within a set timeframe.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

invalid_no_withdrawing_function_and_like_all_used

Money collected will be sent to the MultisigWallet during the first match. Emergency withdraw could lead to a frontrun before a match. "If the like is mutual, all their previous like payments (minus a 10% fee) are pooled into a shared multisig wallet" Design choice

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.