DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Missing User Balance Update in likeUser Leads to Incorrect Reward Calculation

howiecht

Summary

LikeRegistry::userBalances mapping is not updated correctly in LikeRegistry::LikeUser()function. This omission prevents the accurate calculation and distribution of rewards in subsequent function calls, specifically within the matchRewards() internal function.

Vulnerability Details

The userBalances mapping is crucial for tracking the accumulated funds associated with each user, which is used to calculate rewards in the matchRewards() internal function. However, the likeUser() function, which is responsible for initiating the "like" action and potentially triggering a match, fails to update the userBalances variable. This means that when a match occurs, and the matchRewards() function attempts to distribute rewards, it will not have access to the necessary balance information. Consequently, no rewards will be correctly calculated, resulting in zero rewards sent to the MultiSig contract, as the contract will believe there is no balance to distribute.

Proof of Code:

function testLikeProfile() public {

vm.deal(user, 10 ether);

vm.prank(user); // Simulates user calling the function

soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");

vm.prank(user2); // Simulates user calling the function

soulboundNFT.mintProfile("Bob", 18, "ipfs://profileImage");

assert(registry.likes(user, user2) == false);

vm.startPrank(user);

registry.likeUser{value: 1 ether}(user2);

bool liked = registry.likes(user, user2);

assertTrue(liked, "User should be liked");

vm.stopPrank();

assert(registry.likes(user, user2) == true);

assertEq(registry.userBalances(user2), 0); // user2 balance has not updated

}

Impact

Users who participate in matching activities will not receive the expected rewards, frustrating users and damaging the platform's incentive structure.

Tools Used

Recommendations

To resolve this vulnerability, the userBalances mapping needs to be updated in the likeUser() function:

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

+ userBalances[liked] += msg.value;

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

This change ensures that the userBalances mapping is updated correctly when a user likes another user, reflecting the payment associated with the like action, and setting a correct starting balance.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.