DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Lack of Refund Mechanism for Non-Mutual Likes on Profile Destruction

osuolale

Summary

When a user burns their profile (burnProfile function in SoulboundProfileNFT) or when their profile is blocked (blockProfile function), there is no mechanism to return the ETH they've paid for likes that did not result in mutual matches. This means users who leave or are removed from the platform lose access to these funds.

Vulnerability Details

Impact

  • Users lose their investment for non-mutual likes when they decide to exit or are forced out of the platform, potentially leading to user dissatisfaction.

  • This situation could undermine trust in the platform, as users might feel entitled to reclaim their unused payments.

Tools Used

Manual Review

Recommendations

  • Implement a refund system for non mutual likes when users burn their profiles or get blocked:

  1. Modify burnProfile and blockProfile methods:

solidity

// In SoulboundProfileNFT.sol
function burnProfile() external {
uint256 tokenId = profileToToken[msg.sender];
require(tokenId != 0, "No profile found");
require(ownerOf(tokenId) == msg.sender, "Not profile owner");
_burn(tokenId);
delete profileToToken[msg.sender];
delete _profiles[tokenId];
// Trigger refund for non-mutual likes
likeRegistry.refundNonMutualLikes(msg.sender);
emit ProfileBurned(msg.sender, tokenId);
}
function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
// Trigger refund for non-mutual likes
likeRegistry.refundNonMutualLikes(blockAddress);
emit ProfileBurned(blockAddress, tokenId);
}

      1. Add refundNonMutualLikes function in LikeRegistry:

solidity

// In LikeRegistry.sol
function refundNonMutualLikes(address user) public {
uint256 totalRefund = 0;
for (uint i = 0; i < userLikes[user].length; i++) {
address likedUser = userLikes[user][i];
if (!likes[likedUser][user]) { // Check if it's not a mutual like
totalRefund += 1 ether; // Assuming each like was 1 ETH
}
}
if (totalRefund > 0) {
(bool success,) = payable(user).call{value: totalRefund}("");
require(success, "Refund transfer failed");
}
// Clear userLikes after refunding
delete userLikes[user];
}

Additional Considerations:

  • Ensure userLikes or similar data structure is implemented to track non-mutual likes for each user.

  • Consider applying a small administrative fee or setting a time limit for when refunds can be claimed to avoid potential abuse.

  • This system assumes each like costs 1 ETH; adjust if the system allows for variable like costs.

This approach ensures users retain control over their funds for non-mutual likes even when they leave or are removed from the platform, enhancing user trust and experience.

Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_blocking_or_burning_no_refund_balances_or_multisig

Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.