Submission Details
Severity:
User Balances Not Updated, Resulting in Zero Rewards
Summary
The userBalances mapping is not being updated anywhere within the contract, specifically in the likeUser function where likes are registered. Consequently, matchUserOne and matchUserTwo in matchRewards are always zero, leading to no rewards being transferred to the MultiSig wallet.
Vulnerability Details
Deploy the LikeRegistry with the current setup where userBalances are not updated.
Have two users like each other to create a match.
Check if the MultiSig wallet associated with this match receives any funds.
PoC Code:
```solidity
function testUserBalancesNotUpdated() public {
address user1 = address(0x123);
address user2 = address(0x456);
vm.deal(user1, 2 ether);
vm.deal(user2, 2 ether);
vm.prank(user1);
likeRegistry.likeUser{value: 1 ether}(user2);
vm.prank(user2);
likeRegistry.likeUser{value: 1 ether}(user1);
// Check if MultiSig wallet received any funds
address multiSigAddress = address(uint160(uint256(keccak256(abi.encodePacked(user1, user2)))));
assertEq(multiSigAddress.balance, 0, "MultiSig wallet should have zero balance since userBalances are not updated");
}
```
Explanation:
This PoC confirms that without updating userBalances in the likeUser function, no funds are transferred to the MultiSig wallet upon a match, showing the critical need to manage user balances correctly.
Impact
The MultiSig wallet receives no funds because totalRewards is always calculated as zero due to matchUserOne and matchUserTwo being zero.
Users are not rewarded for their likes, which can lead to severe dissatisfaction, loss of trust, and the platform failing to deliver on its core promise of rewarding mutual matches.
Tools Used
Manual Review and Foundry
Recommendations
Ensure that userBalances are updated in the likeUser function to reflect each user's contribution:
```solidity
function likeUser(address liked) external payable {
require(msg.value == 1 ether, "Must send exactly 1 ETH");
// ... existing checks ...
userBalances[msg.sender] += msg.value; // Update this line to reflect payments
// ... rest of the function
}```
Here is how the matchRewards function might look with console logging for debugging:
```solidity
function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
console.log("User1 balance:", matchUserOne);
console.log("User2 balance:", matchUserTwo);
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
console.log("Total rewards:", totalRewards);
console.log("Fees:", matchingFees);
console.log("Rewards to transfer:", rewards);
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
console.log("Attempting transfer to MultiSig wallet:", address(multiSigWallet), "with amount:", rewards);
(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer to MultiSig failed");
console.log("Transfer to MultiSig successful, new balance:", address(multiSigWallet).balance);
}
```
Updates
Appeal created
n0kto 6 months ago
Submission Judgement Published Assigned finding tags:
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.