DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Permanent Funds Lock Due to Missing Refund Mechanism for Unmatched Likes

edoscoba

Summary

The LikeRegistry smart contract requires users to deposit 1 ETH when liking another user through the likeUser() function. However, the contract lacks a mechanism for users to retrieve their deposited funds if they never receive a match. This creates a permanent lock of user funds in scenarios where matches do not occur.

Vulnerability Details

In the current implementation, when a user likes another profile through the likeUser() function, they must send at least 1 ETH:

function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
// ... rest of function
}

These funds are stored in the contract but are only distributed when a match occurs through the matchRewards() function. If a user never receives a match, their funds remain permanently locked in the contract with no withdrawal mechanism available.

Proof of Concept

Consider the following scenario:

  1. Alice deposits 1 ETH to like Bob

  2. Bob never likes Alice back

  3. Alice's 1 ETH remains locked in the contract indefinitely

  4. Alice has no mechanism to recover her funds, even if she decides to leave the platform

Impact

This vulnerability has several serious implications:

  1. Users who do not receive matches have their funds permanently locked in the contract

  2. The locked funds could accumulate to significant amounts over time

  3. Users may be discouraged from participating due to the risk of permanent fund loss

  4. The contract could be perceived as predatory, damaging platform reputation

  5. In the event of contract deprecation, unmatched user funds would be irretrievable

Tools Used

Manual review

Recommendation

Implement a refund mechanism that allows users to withdraw their funds if they remain unmatched after a certain period. Here's a suggested implementation:

contract LikeRegistry {
// Track individual user deposits
mapping(address => uint256) public userDeposits;
// Track when likes were made
mapping(address => mapping(address => uint256)) public likeTimestamps;
// Define a reasonable waiting period
uint256 public constant REFUND_WAITING_PERIOD = 30 days;
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
userDeposits[msg.sender] += msg.value;
likeTimestamps[msg.sender][liked] = block.timestamp;
// ... rest of existing function
}
function withdrawUnmatchedFunds(address liked) external {
require(likeTimestamps[msg.sender][liked] > 0, "No like found");
require(block.timestamp >= likeTimestamps[msg.sender][liked] + REFUND_WAITING_PERIOD,
"Waiting period not elapsed");
require(!likes[liked][msg.sender], "Cannot withdraw after match");
uint256 amount = 1 ether;
require(userDeposits[msg.sender] >= amount, "Insufficient deposit");
userDeposits[msg.sender] -= amount;
likeTimestamps[msg.sender][liked] = 0;
likes[msg.sender][liked] = false;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Transfer failed");
emit LikeWithdrawn(msg.sender, liked, amount);
}
event LikeWithdrawn(address indexed user, address indexed liked, uint256 amount);
}

Risk Mitigation

The proposed solution:

  1. Tracks individual user deposits separately

  2. Implements a waiting period before refunds become available

  3. Allows users to withdraw funds from specific unmatched likes

  4. Maintains platform integrity while protecting user funds

  5. Includes proper event emission for transparency

Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.