DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Protocol owner loses revenue accrued from fees

0xcryptanu

Summary

Fees for the owner (matchingFees) are expected to be deducted and accumulated in totalFees but with all the variables in matchRewards set to 0 in LikeRegistry::matchRewards, fees also default to 0.

Vulnerability Details

LikeRegistry::withdrawFees becomes redundant because no fees are accrued to the user because of the inaccurate fee calculations caused by improper tracking of the user's deposits. When the owner calls the withdrawFees function, it will always revert because of the require check below:

require(totalFees > 0, "No fees to withdraw");

Impact

  • Loss of revenue for the protocol: Owner does not get any fees for the DatingDapp being used.

Tools Used

Manual Review.

Recommendations

Adjust the user's fee tracked when they indicate interest by liking a user's profile.

function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
+ userBalances[msg.sender] += msg.value; // should be 1ETH according to docs
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.