Locked Funds and Broken Rewards: Critical Flaw in LikeRegistry’s Fund Accounting
Summary
The contract requires users to send at least 1 ETH to like someone but fails to track these deposits. This results in funds getting stuck, preventing rewards and fees from being distributed. Even when users match, no ETH is sent, breaking the core functionality. Extra ETH sent is also not refunded or credited, leading to unintended overpayments.
Vulnerability Details
ETH sent by users is never stored in userBalances, making the reward system ineffective. When a match occurs, the contract calculates rewards based on empty balances, leading to zero payouts. Users who send more than 1 ETH also receive no credit or refund for the excess.
Impact
Users lose funds as they cannot claim rewards, and the contract fails to collect fees.
Recommendations
The contract should update userBalances[msg.sender] when ETH is sent to ensure funds are properly tracked. It should also handle excess ETH by either refunding it or enforcing an exact deposit amount.
Appeal created
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.