The contract’s core functionality fails to track ETH payments when a user expresses interest ("likes") another profile. The userBalances
mapping, intended to store these payments, remains uninitialized and unused. When mutual likes trigger the matchRewards
function, it calculates rewards using userBalances
, which are always zero. This results in zero ETH being transferred to the multisig wallet for mutual matches, rendering the reward system ineffective.
The likeUser
function does not update any storage variable to track the ETH sent during a like.
The matchRewards
function relies on userBalances[from]
and userBalances[to]
, which are zero, leading to totalRewards = 0
.
Impact
Users receive zero rewards for mutual likes despite paying 1 ETH each.
The contract owner cannot withdraw any fees (totalFees
remains zero), undermining the business model.
Funds remain trapped in the contract, creating a financial loss for users and degrading trust in the platform.
Slither for static analysis to detect unused variables (userBalances
).
Track ETH Payments: Introduce a payments
mapping to accumulate like payments from each user.
Update likeUser
Function: Store each like’s payment in the payments
mapping.
Modify matchRewards
: Calculate rewards based on tracked payments and reset them after transfer.
Enforce Exact Payments: Change the payment requirement to msg.value == 1 ether
to prevent overpayments.
Fixed Code Snippet
By implementing these fixes, the contract will accurately track and distribute rewards for mutual likes, ensuring users receive their pooled funds and the owner collects fees as intended.
Likelihood: High, always. Impact: High, loss of funds
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.