Overpayment allowed in the `likeUser` function.
Description:
The likeUser function allows users to send more than 1 ETH when liking another user. However, the documentation states that liking a user should cost exactly 1 ETH, meaning any additional ETH sent is not accounted for properly and could result in unintended financial losses for users.
Impact:
Users can accidentally overpay when liking another profile, leading to unintended ETH loss. This contradicts the intended mechanism described in the documentation, where each like should cost exactly 1 ETH. If excess ETH is sent, it remains locked in the contract without serving any functional purpose.
Proof of Concept:
Consider the following scenario where a user sends 2ETH instead of 1ETH:
Expected behavior (based on docs): The transaction should reject any amount greater or less than 1 ETH.
Actual behavior: The contract accepts 2 ETH, allowing users to overpay unintentionally.
Recommended Mitigation:
Modify the require check to strictly enforce exactly 1ETH:
Appeal created
Users mistake, only impacting themselves.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.