Submission Details
Severity:
Users can like profiles that are already matched
L-1 / I Users can like profiles that are already matched
Description:
The likeUser function in LikeRegistry.sol allows users to like profiles that have already found a match. This could lead to wasted ETH deposits and a suboptimal user experience.
Proof of Concept:
As demonstrated in test_user_can_like_already_matched_user():
function test_user_can_like_already_matched_user() public {
// Arrange
_mintSoulNFT(USER1, "User 1", 20, "https://example.com/image.png");
_mintSoulNFT(USER2, "User 2", 20, "https://example.com/image.png");
_mutualLike(USER1, USER2);
// Act
_mintSoulNFT(USER3, "User 3", 20, "https://example.com/image.png");
vm.prank(USER3);
likeRegistry.likeUser{value: 1 ether}(USER2);
// Assert
assertEq(likeRegistry.likes(USER3, USER2), true);
}
_minSoulNFT function used
function _mintSoulNFT(address user, string memory name, uint8 age, string memory profileImage) internal {
vm.prank(user);
soulboundProfileNFT.mintProfile(name, age, profileImage);
}
Updates
Appeal created
n0kto 7 months ago
Submission Judgement Published Assigned finding tags:
finding_several_match_lead_to_multisig_with_no_funds
Likelihood: Medium, if anyone has 2 matches or more before reliking. Impact: Medium, the user won't contribute to the wallet.
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.