DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

The deposit for liking someone is locked forever

loptus

Summary

In order for a user to "like" another user's profile using the likeUser() function, they must send 1 ether. However, since there is no function within the LikeRegistry contract to withdraw funds, the funds will remain locked indefinitely.

Vulnerability Details

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

In the above function, sending 1 ether is mandatory. However, since there is no withdrawal function provided, the funds become permanently locked, preventing anyone from retrieving them.

Impact

Assets are locked forever

Recommendations

Implement a function to withdraw collateral funds.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_no_withdrawing_function_and_like_all_used

Money collected will be sent to the MultisigWallet during the first match. Emergency withdraw could lead to a frontrun before a match. "If the like is mutual, all their previous like payments (minus a 10% fee) are pooled into a shared multisig wallet" Design choice

loptus Submitter

5 months ago

n0kto Lead Judge

5 months ago

loptus Submitter

5 months ago

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_no_withdrawing_function_and_like_all_used

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.