H-01. No way to set userBalances
Summary
In LikeRegistry.sol, there is no function to properly increase userBalances. As a result, the reward distribution mechanism in the contract fails, making the intended reward system ineffective.
Vulnerability Details
The key issue lies in the likeUser() and matchRewards() functions:
userBalances[msg.sender]is never updated when a user sends ETH.In
matchRewards(), the contract attempts to read and resetuserBalancesfor both matched users (fromandto), but sinceuserBalancesis always zero, no rewards are distributed.
This leads to the core functionality of rewarding users upon a match being completely broken.
Impact
No actual rewards are distributed to matched users.
The fee collection system (
totalFees) becomes non-functional as it always remains zero.The contract fails to meet its intended business logic, which can diminish user trust.
Tools Used
Manual review
Recommendations
Update userBalances in the likeUser() function to record user payments:
Appeal created
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.