DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Attackers can match themselves with other addresses they own and blackmail users of the protocol

0xdimo

Summary

Users in the protocol have no limit on the amount of matches they have. On each match all the available ETH from both users will be sent to the multiSig. This creates a healthy state where both users, who like each other will hold joint responsibility of their joint ETH.

This leaves room for the following malicious scenario:

Alice has 2 addresses - Alice1 and Alice2
From Alice1 she likes Alice2 and Bob
Bob tries to like Alice1 back, but Alice frontruns him and likes Alice1 from Alice2
The money of Alice1 and Alice2 will be sent to their joint MultiSig
The money of Bob will be sent to a joint MultiSig with Alice1. This leaves Alice with not stake at all in the joint MultiSig with Bob and give her leverage to blackmail him.

PoC

modifier mintNfts() {

vm.deal(alice, 3 ether);

vm.prank(alice);

soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");

vm.deal(bob, 3 ether);

vm.prank(bob);

soulboundNFT.mintProfile("Bob", 25, "ipfs://profileImage");

vm.deal(carol, 3 ether);

vm.prank(carol);

soulboundNFT.mintProfile("Carol", 25, "ipfs://profileImage");

}

function test_poc_blackmail() public mintNfts {

//The bug with not updating userBalance should be fixed first

// Alice likes Bob and Carol, She matches with Bob first and then has leverage on Carol

vm.startPrank(alice);

likeRegistry.likeUser{value: 1 ether}(bob);

likeRegistry.likeUser{value: 1 ether}(carol);

vm.stopPrank();

vm.prank(bob);

likeRegistry.likeUser{value: 1 ether}(alice);

console.log("Ether in first MultiSig:", address(0xffD4505B3452Dc22f8473616d50503bA9E1710Ac).balance);

//contains ETH from Bob and Alice

vm.prank(carol);

likeRegistry.likeUser{value: 1 ether}(alice);

console.log("Ether in second MultiSig:", address(0x8d2C17FAd02B7bb64139109c6533b7C2b9CADb81).balance);

//contains only Carol's ETH, giving Bob leverage on Carol

}

Impact

High, as it exposes big risks for users and their funds.

Tools Used

Manual Review

Recommendations

This is a core logic in the contract. Hard to suggest, but probably only send the ETH of both users to their join multiSig, without affecting their other likes.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_several_match_lead_to_multisig_with_no_funds

Likelihood: Medium, if anyone has 2 matches or more before reliking. Impact: Medium, the user won't contribute to the wallet.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.