Missing Deposit Mechanism in `LikeRegistry.sol` Prevents Getting Dating Funds
Summary
The contract documentation states:
"If the like is mutual, all their previous like payments (minus a 10% fee) are pooled into a shared multisig wallet."
However, there is no mechanism for users to deposit funds into the contract. As a result, userBalances remains empty, and the multisig wallet will never receive any funds, making the intended functionality ineffective.
Vulnerability Details
In src/LikeRegistry.sol, the contract maintains a mapping:
The function matchRewards attempts to access userBalances to retrieve user balances:
However, there is no function that allows users to deposit funds into userBalances. Without a way to update this mapping, the balance always remains zero, rendering the dating funds distribution mechanism non-functional.
Impact
Users cannot deposit funds to update
userBalances, making it impossible to participate in the intended payment flow.The multisig wallet never receives any funds, preventing users from benefiting from mutual likes.
The core feature of like payments is ineffective, as no transactions occur.
Tools Used
Manual code review
Recommendations
To fix this issue, implement a receive function that allows users to deposit funds into the contract while preventing unintended deposits:
This ensures that users can fund their accounts, allowing matchRewards to function as intended.
Appeal created
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.