DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Method likeUser doesn't update userBalances mapping

mnedelchev_

Summary

Method likeUser inside contract LikeRegistry doesn't update userBalances mapping thus when likes are matched the MultiSigWallet contract is being created, but zero value is being transferred to it everytime.

Vulnerability Details

function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
// missing update of the userBalances mapping
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// etc, etc.

Impact

Without properly updating the userBalances mapping the impact is the following:

  • Every created MultiSigWallet contract gets no funds at all

  • totalFees never gets increased thus making method withdrawFees unusable

Basically the funds are stuck inside LikeRegistry.sol

Recommendations

Apply the following changes to method likeUser inside contract LikeRegistry:

likes[msg.sender][liked] = true;
userBalances[msg.sender] += msg.value; // ADD THIS LINE
emit Liked(msg.sender, liked);
Updates

Appeal created

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!