DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Reentrancy Vulnerability in `LikeRegistry.matchRewards`

m3dython

  • Root Cause: The matchRewards function in LikeRegistry sends ETH to a newly deployed MultiSigWallet contract. A malicious user could create a contract that mimics the MultiSigWallet and, in its receive() function, calls back to the LikeRegistry's likeUser function. This would allow them to repeatedly drain the userBalances of other users before the original matchRewards transaction completes.

  • Impact: Loss of user funds. A malicious user could steal all the ETH accumulated in userBalances.

  • Recommendation: Implement a reentrancy guard in matchRewards. This can be done using a mutex or a check-effect-interaction pattern. For example:

uint256 private _locked; // Mutex
function matchRewards(address from, address to) internal {
require(_locked == 0, "ReentrancyGuard: reentrant call");
_locked = 1;
// ... existing code ...
(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
_locked = 0;
}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_reentrancy_with_no_impact

matchRewards: Contract is created just before and is the one called. No impact. executeTransaction: CEI is followed. Emitting an event in disorder is informational in that context. withdraw: CEI is followed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.