DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Blocked and deleted profiles' funds are stuck in the contract

0xjarix

Summary

Blocked and deleted profiles' funds are stuck in the LikeRegistry contract.

Vulnerability Details

When users are blocked or deleted their funds remain in the contract due to a lack of withdraw mechanisms.

function burnProfile() external
uint256 tokenId = profileToToken[msg.sender];
require(tokenId != 0, "No profile found");
require(ownerOf(tokenId) == msg.sender, "Not profile owner");
_burn(tokenId);
delete profileToToken[msg.sender];
delete _profiles[tokenId];
emit ProfileBurned(msg.sender, tokenId);
}
/// @notice App owner can block users
function blockProfile(address blockAddress) external onlyOwner {
uint256 tokenId = profileToToken[blockAddress];
require(tokenId != 0, "No profile found");
_burn(tokenId);
delete profileToToken[blockAddress];
delete _profiles[tokenId];
emit ProfileBurned(blockAddress, tokenId);
}

Consider this scenario:

  1. Innocent users likes 10 users so he sent at least 10 ETH to the LikeRegistry contract

  2. Innocent users decide to delete his profile, the 10 ETH are forever stuck in the contract


Impact

Funds will be lost, for both innocent and bad users. Even the protocol owner cannot withdraw them.

Tools Used

Manual review

Recommendations

Add a refund mechanisms for the users who decided to delete their profiles.
Add a withdrawal mechanism that is only callable by the owner to withdraw blocked users' funds.

Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_blocking_or_burning_no_refund_balances_or_multisig

Likelihood: Low, burning with money in it would be a user mistake, and being blocked is Low. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.