DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Funds Are Never Stored in userBalances

bmarouen

Summary

The contract does not update userBalances when users send ETH in likeUser(), meaning users cannot earn any rewards from matching because the balance will always remain zero.

Vulnerability Details

When a user calls likeUser(), they must send at least 1 ETH.However, this ETH is never assigned to userBalances[msg.sender].
Since matchRewards() only distributes rewards from userBalances, it will always process 0 ETH in rewards.

Impact

  • Users do not receive any matching rewards, making the matchmaking system pointless.

  • The contract accepts ETH but never properly tracks it, leading to unexpected behavior.

Tools Used

Manual contract review

Recommendations

Update userBalances[msg.sender] when a user deposits ETH in likeUser():

function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
//update userBalances
userBalances[msg.sender] += msg.value;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.