DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The `userBalances` mapping isn't updated when a user sends ETH.

sparrowblck

[H-2] Summary

The userBalances mapping isn't updated when a user sends ETH.

Vulnerability Details

The userBalances mapping is used to store the sum of deposited ETH by each user thus far. In matchRewards, the balances of the two users are summed to calculate the reward. By not updating userBalances in the LikeRegistry::likeUser or anywhere else, the reward will always be zero, which breaks the main functionality of the contract.

Impact

High impact - the main functionality of the contract is broken,. High likelihood, as the userBalances mapping is never updated.

Tools Used

Manual review.

Recommendations

In the LikeRegistry::likeUser function, update the userBalances mapping to uncrement the amount of ETH sent by the user:

function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
+ userBalances[msg.sender] += msg.value;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.