DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Ineffective Mutual Like Rewards System

osuolale

Summary

The README indicates that upon a mutual like, all previous like payments from both users, even those from non-mutual likes, should be pooled into a shared multisig wallet. However, the current implementation doesn't correctly aggregate all previous payments, including those from non-mutual likes, into the wallet upon a match.

Vulnerability Details

Impact

Users are not receiving their expected pooled funds, impacting the system's promise of rewarding all previous interactions.

This could lead to user dissatisfaction and loss of trust in the system's mechanics.

Tools Used

Manual Review

Recommendations

Implement a mapping to track all likes for each user, then pool all these payments upon a mutual match:

```solidity

// In the contract, add this mapping:

mapping(address => uint256[]) public userLikes;

function likeUser(address liked) external payable {

require(msg.value == 1 ether, "Must send exactly 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

userLikes[msg.sender].push(msg.value); // Track all likes payments

emit Liked(msg.sender, liked);

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(msg.sender, liked);

}

function matchRewards(address from, address to) internal {

uint256 totalRewardsFrom = 0;

uint256 totalRewardsTo = 0;

// Sum up all previous likes for both users

for (uint256 i = 0; i < userLikes[from].length; i++) {

totalRewardsFrom += userLikes[from][i];

}

for (uint256 i = 0; i < userLikes[to].length; i++) {

totalRewardsTo += userLikes[to][i];

}

uint256 totalRewards = totalRewardsFrom + totalRewardsTo;

uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;

uint256 rewards = totalRewards - matchingFees;

// Deploy and fund the MultiSigWallet with all rewards

MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);

(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");

require(success, "Transfer to MultiSig failed");

// Clear userLikes after transfer

delete userLikes[from];

delete userLikes[to];

}

```

Explanation:

With this approach, each user's like payments are stored in an array within userLikes. When a mutual match is detected, matchRewards calculates the sum of all previous likes from both users, applies the fee, and then transfers the remaining amount to the MultiSig wallet.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.