DatingDapp

Summary

Users can know who likes them and it should be a secret. Users can then know already likes them, because everything is visible on the blockchain. Users can see if they want to match with them right away or wait for a better option. They can also front-run their admirer's like to some other users by liking them back and matching with them.

Vulnerability Details

Consider these 2 scenarios:

• Scenario #1:

1. A likes B

2. B knows that A likes him because everything is public on the blockchain, but decides not to match with them right away, either to keep his options open or to let A like a few more people that haven't already liked A so there are more funds sent to the multisig when B decides to match with A

3. C likes A

4. A calls likeUser(C)

5. B sees in the mempool that he might lose a potential match and he couldn't find a better match in the app, also 1 ETH is quite expensive to like someone we're not sure is gonna like back

6. B frontruns A's transaction and calls likeUser(A) to match with A

• Scenario #2:

1. A likes B

2. B knows that A likes him because everything is public on the blockchain, but decides not to match with them right away, either to keep his options open or to let A like a few more people that haven't already liked A so there are more funds sent to the multisig when B decides to match with A

3. A likes C

4. C calls likeUser(A)

5. B sees in the mempool that he might lose a potential match and he couldn't find a better match in the app, also 1 ETH is quite expensive to like someone we're not sure is gonna like back

6. B frontruns C's transaction and calls likeUser(A) to match with A

Impact

Likes are not a mystery anymore and users can ruin sincere matches of a user they don't like much but couldn't find better.

Tools Used

Manual review

Recommendations

Addresses should be hashed.