Romance Scam Exploitation in Dating Dapp
Summary
The Multisig Romance Scam is a deceptive scheme where a scammer fakes romantic interest in a victim through the Dating Dapp. By mutually liking the victim, the scammer gains access to a shared multisig wallet. Over time, they manipulate the victim’s trust and convince them to approve a fraudulent transaction, allowing the scammer to withdraw all funds. Due to the lack of withdrawal restrictions, fraud detection, or dispute resolution mechanisms, the victim has no recourse, making this an effective and severe financial exploit.
Vulnerability Details
Attack Scenario: Mutual Like & Multisig Wallet Scam
The scammer mutually likes the victim, triggering a shared multisig wallet.
The victim trusts the scammer and approves a withdrawal, sending all funds to the scammer.
The scammer disappears, leaving the victim with no way to recover funds
POC -Multisig Romance Scam
Impact
Financial Loss: Users can lose unlimited ETH to romance scammers.
Trust Issues: Users will stop using the platform if scamming becomes widespread.
Reputation Damage: The Dating Dapp may face legal risks if users report scams.
Tools Used
Manuel Review
Recommendations
Implement a maximum daily withdrawal limit for new matches.
Add time delays on withdrawals.
Appeal created
invalid_URI_injection_scam_underaged_bad_name_photo_etc
Scamming/phishing is not the protocol problem, that's a user mistake. NFT are unique, even if someone does a copy of your profile (which is also possible in web2), I consider it informational. Injection is a problem for the web2 part of the protocol, not a bug here. For the age, it depends on the countries law and future medicine. Anyways, that's more an ethical/political problem, not a bug.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.