Multiple Matches with Zero Funds in LikeRegistry Contract
Summary
Since likes are not being reset after a match, the LikeRegistry contract allows users to have multiple matches. However, only the first match will receive funds because userBalances are reset to zero after each match.
Vulnerability Details
Likes Not Being Deleted: In the
likeUserfunction, when a mutual like is detected, thematchRewardsfunction is called to distribute rewards. However, the likes are not being deleted after a match is made, allowing users to have multiple matches with the same user.Zero Funds for Subsequent Matches: The
userBalancesare reset to zero after the first match, resulting in zero funds for subsequent matches. This means that only the first match will have funds, while subsequent matches will have zero funds.
Impact
Zero Funds for Subsequent Matches: Only the first match will have funds, while subsequent matches will have zero funds due to the
userBalancesbeing reset to zero.User Dissatisfaction: Users may be dissatisfied if they expect rewards from multiple matches but only receive funds for the first match.
Tools Used
Manual code review
Recommendations
Delete Likes After Matching: Ensure that likes are deleted after a match is made to prevent multiple matches with the same user.
Update
userBalancesAppropriately: Ensure thatuserBalancesare updated correctly to reflect the funds available for each match.
Appeal created
finding_several_match_lead_to_multisig_with_no_funds
Likelihood: Medium, if anyone has 2 matches or more before reliking. Impact: Medium, the user won't contribute to the wallet.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.