LikeRegistry: Missing Strict Equality Check in ETH Transfer Validation
Summary
The like function accepts payments of 1 ETH or more instead of requiring exactly 1 ETH, violating the protocol's specified economic constraints of "To express interest in someone, they pay 1 ETH to "like" their profile.". It's a clear requirement that the like transfer has to be of 1 ETH.
Vulnerability Details
The require statement uses >= 1 ether rather than strict equality (== 1 ether). This allows users to send excess ETH that becomes trapped in the contract until manual withdrawal by owners, despite protocol docs specifying exact 1 ETH payments for likes.
Impact
High:
Users may accidentally overpay with no refund mechanism
Creates accounting imbalance between actual contract balance and
totalFeestrackingViolates core protocol economic model requiring predictable 1 ETH costs
Tools Used
Manual code review
Slither static analysis (would flag arbitrary value acceptance)
Recommendations
This aligns with protocol requirements and prevents fund trapping. If flexible payments are needed, implement an automatic refund mechanism for excess amounts.
Appeal created
Users mistake, only impacting themselves.
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelihood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.