DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

`LikeRegistry::likeUser` doesn't have a reversal mechanism.

sparrowblck

[H-1] Summary

LikeRegistry::likeUser doesn't have a reversal mechanism. As a result, if a user inadvertently "likes" the zero-address, or another invalid non-zero address (e.g. by making a typo), the funds they are sending as a message value (>=1 ETH as per requirements) would be trapped in the contract.

Vulnerability Details

The purpose of the LikeRegistry contract is to enable users to like each other, and "match". At this point the funds each user have deposited go to a mutual contract (MultiSig.sol), from which they can spend it together. The issue arises from the fact that until a match happens, the funds a user has sent remain trapped in the LikeRegistry. Therefore, liking a non-existent address (or the zero-address) cannot possibly result in a match, which means the the funds are locked in the contract, with no way to recover them.

Impact

The impact is high, as the user's funds would be locked in the contract, and there is no way to recover them. The likelihood is medium - the user would have to make a mistake in the address they are liking, or pass the zero-address.

Tools Used

Manual review.

Recommendations

A low-effort improvement is to add a zero-address check in the LikeRegistry::likeUser function:

function likeUser(address liked) external payable {

+ require(liked != address(0), "Cannot like address 0");

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

A more resilient approach would be to add a reversal mechanism (an unlikeUser function), so that the user can revoke a like, thereby receiving their ETH back. Such a mechanism would include removing the likes from the likes mapping, and storing the exact ETH amount sent for the given liked address, which could then be transferred back to the user.

Updates

Appeal created

n0kto Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Users mistake, only impacting themselves.

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.