DatingDapp

Summary

In LikeRegistry.sol, there is no way for users to cancel their "likes." This leads to a situation where the ETH transferred for an unmatched "like" remains locked in the contract indefinitely.

Vulnerability Details

When a user likes another user by calling the likeUser() function, they are required to transfer at least 1 ETH. However, if the recipient does not reciprocate the like, the ETH remains locked in the contract.
Since there is no function to cancel a "like" or withdraw the locked funds, users may lose access to their ETH.

Example Scenario

1. User A sends 1 ETH to like User B.

2. User B does not like User A back.

3. User A cannot recover the 1 ETH since the contract lacks a mechanism to reverse or withdraw unmatched likes.

Impact

• Locked funds for users who do not receive a reciprocal like.

• Users may become reluctant to use the platform due to potential loss of funds.

• Reduces the overall utility and user experience of the contract.

Tools Used

Manual review

Recommendations

1. Add a function to allow users to cancel a "like" and recover their ETH if the like has not resulted in a match:

   function cancelLike(address liked) external {

   require(likes[msg.sender][liked], "No active like");

   require(!likes[liked][msg.sender], "Already matched");

   uint256 refundAmount = likeAmounts[msg.sender][liked];

   likeAmounts[msg.sender][liked] = 0;

   likes[msg.sender][liked] = false;

   ​

   (bool success,) = payable(msg.sender).call{value: refundAmount}("");

   require(success, "Refund failed");

   }

2. Ensure that likeAmounts[msg.sender][liked] is properly initialized and tracked when the user sends ETH to like another user.

3. Add unit tests to verify that users can successfully cancel unmatched likes and receive refunds.