DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-1]: Missing update to user Balances in the `likeUser` function

shabihethsec

Summary

The LikeRegistry contract has a critical issue where the likeUser function does not update the userBalances mapping when a user sends ETH. As a result, the deposit funds are never recorded leading to operate matchReward on zero balances.

Vulnerability Details

The likeUser function in the likeRegistry contract never updates the usersbalances mapping to credit the sender’s balance with the deposited ETH. Consequently, when a mutual like is detected, the matchRewards function computes rewards using zero balances from both the users. This oversight prevents the proper accumulation and distribution of rewards and all the funds remains in the likeRegistry contract, as the deposited funds are not tracked.

POC:

Here's the poc code to demonstrate the issue to run against foundry:

pragma solidity ^0.8.19;

import { Test, console } from "lib/forge-std/src/Test.sol";

import { LikeRegistry } from "../src/LikeRegistry.sol";

import { MultiSigWallet } from "src/MultiSig.sol";

import { SoulboundProfileNFT} from "src/SoulboundProfileNFT.sol";

contract LikeRegistryTest is Test {

LikeRegistry likeRegistry;

MultiSigWallet multiSig;

SoulboundProfileNFT profileNft;

uint256 public constant STARTING_USER_BALANCE = 10 ether;

address public USER1 = makeAddr("user1");

address public USER2 = makeAddr("user2");

function setUp() external {

profileNft = new SoulboundProfileNFT();

likeRegistry = new LikeRegistry(address(profileNft));

vm.deal(USER1, STARTING_USER_BALANCE);

vm.deal(USER2, STARTING_USER_BALANCE);

}

modifier nftMintedForAllTheUsers() {

vm.prank(USER1);

profileNft.mintProfile("Alex", 21, "ipfs://QmUPjADFGEKmfohdTaNcWhp7VGk26h5jXDA7v3VtTnTLcW");

vm.prank(USER2);

profileNft.mintProfile("Rose", 20, "ipfs://RandomURI");

}

function test_usersAreMutuallyLikedButTheUsersBalancesNotUpdated() public nftMintedForAllTheUsers {

// mappings is not getting updated for the userBalances

vm.prank(USER1);

likeRegistry.likeUser{value: 1 ether}(USER2);

console.log("Balance Of User1: ", likeRegistry.userBalances(USER1));

vm.prank(USER2);

likeRegistry.likeUser{value: 1 ether}(USER1);

console.log("Balance Of User2: ", likeRegistry.userBalances(USER2));

// Shows that the users are mutually liked.

assertTrue(likeRegistry.likes(USER1, USER2), "Unable To Like!");

// This will show the balance remains in the contract and is not transferred to the multisig wallet.

console.log("BalanceOfTheLikeRegistry: ", (address(likeRegistry)).balance);

}

To run this test use the following command:

forge test --mt test_usersAreMutuallyLikedButTheUsersBalancesNotUpdated -vv

Steps To Reproduce:

Mint two Users profile by calling the mintProfile.
Make the users like themselves by calling the LikeRegistry function.
Call the withdrawFees function and you will get the error ”No fees to Withdraw.”

Impact

Incorrect Reward Calculation:
Since the userBalances mapping never updated, the Reward calulation in matchRewards always results in 0 ETH being available for distribution, even though users have sent funds.
Funds Minsmanagement:
The ETH sent by users will remain in the contract without being properly allocated, leading to potential fund mismanagement or unintended locking of user deposits.
Economic Incentive Failure: Users expecting to earn rewards for mutual likes will not receive any payouts, potentially undermining trust and participation in the platform.

Tools Used

Manual Review
Foundry

Recommendations

Update the User Balance: Modify the likeUser function to update the userBalances mapping with the ETH sent. For instance, immediately after the validation checks, add:

userBalances[msg.sender] += msg.value;

Updates

Appeal created

n0kto Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.