DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

ETH Not Transferred and userBalances Not Updated in LikeRegistry:likeUser

bryanconquer

Summary

The likeUser function is designed to implement a pay-to-like mechanism, where users pay 1 ETH to express interest in another user. However, while the function checks that msg.value >= 1 ether, it **does not actually updaate **the ETH to the liked user.

userBalances is not updated – The contract tracks balances via userBalances, but the liked user's balance is not incremented when they receive a like. This means their balance remains unchanged, even though they were supposed to receive 1 ETH.

Vulnerability Details

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// other function code

Call `likeUser(likedUserAddress)` and send 1 ETH (`msg.value = 1 ether`).

userBalances[likedUserAddress], which remains 0 instead of increasing by 1 ETH.

Impact

Breaks expected functionality – The documentation states that liking a profile requires a payment, but the current implementation does not enforce this.

Funds are not transferred – The liked user does not receive the 1 ETH payment, making the feature ineffective.

Tools Used

manual review and foundry

Recommendations

Modify the function to ensure that ETH is properly transferred to the liked user

This ensures that the ETH sent by the liker update the intended recipient and that the pay-to-like mechanism functions as expected.

// Update liked user's balance

userBalances[liked] += msg.value;

Updates

Appeal created

n0kto Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.