DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Money locked in LikeRegistry after like

f3d0ss

Summary

The LikeRegistry contract’s likeUser function may cause funds to be locked indefinitely. Once a user (Alice) sends 1 or more Ether via likeUser to another user (Bob), there is no built-in mechanism to recover the deposited funds unless Bob successfully calls likeUser back. This creates a potential risk where the sender's funds may get trapped if the recipient becomes unable or unwilling to interact with the contract further.

Vulnerability Details

When Alice calls LikeRegistry::likeUser and sends Ether to like Bob, the Ether is stored in the contract with no path for retrieval unless Bob, the recipient, later calls LikeRegistry::likeUser. However, if Bob's account becomes blocked, burned, or otherwise unable to execute functions (for example, due to administrative actions like profile blocking via the SoulboundProfileNFT contract), then Bob may not be able to call likeUser. As a result, Alice’s Ether remains locked in the contract indefinitely.

POC

function setUp() public {

soulboundNFT = new SoulboundProfileNFT();

likeRegistry = new LikeRegistry(address(soulboundNFT));

vm.deal(user, 10 ether);

vm.deal(user2, 10 ether);

}

function testLikeLockedMoney() public {

// Create prpfiles

vm.prank(user);

soulboundNFT.mintProfile("Alice", 18, "ipfs://profileImageAlice");

vm.prank(user2);

soulboundNFT.mintProfile("Bob", 65, "ipfs://profileImageBob");

// Alice gives a like to Bob and sends 1 Ether

vm.prank(user);

likeRegistry.likeUser{value: 1 ether}(user2);

// Bob's profile gets blocked (making it impossible for him to call likeUser)

vm.prank(owner);

soulboundNFT.blockProfile(user2);

// Bob cannot give a like back due to the blockage; the transaction is expected to revert

vm.prank(user2);

vm.expectRevert();

likeRegistry.likeUser{value: 1 ether}(user);

}

Impact

Alice’s Ether will be permanently locked in the LikeRegistry portion of the contract with no way of retrieving it.
This can lead to user dissatisfaction and loss of funds, negatively impacting the trust in the system.
In cases where a user is unable to perform the unlocking action due to account restrictions (blocked or burned accounts), funds deposited as likes become irrecoverable.

Tools Used

Foundry (for testing and POC demonstration)

Recommendations

Implement a mechanism that allows users to withdraw their Ether if the counterparty (the recipient) is unable or unwilling to unlock the funds. For example, consider adding:
- A timeout feature enabling a refund if no reciprocal like action is performed within a set period.
- A dedicated withdrawal function that allows the original sender to retrieve their funds after specific conditions are met (e.g., if the recipient has been blocked or has remained inactive for a defined duration).
  By incorporating a safe withdrawal or refund mechanism, the contract can mitigate the risk of funds becoming locked and improve the overall user experience and security of the system.

Updates

Appeal created

n0kto Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.