DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Untracked ETH Deposits Leading to Locked Funds and Broken Reward Distribution

bl0up

Summary

The LikeRegistry contract is intended to pool user payments and distribute rewards when two users mutually like each other. However, due to a logical oversight in the likeUser function, users’ ETH deposits are never recorded in the userBalances mapping. This omission disrupts the reward mechanism and may result in user funds being locked within the contract, undermining both its functionality and financial integrity.

Vulnerability Details

  • Missing Balance Update:
    When users call the likeUser function and send ETH, the deposited amount (msg.value) is not added to the userBalances mapping. Consequently, even though funds are received, they are not attributed to the sender’s balance.

  • Broken Reward Calculation:
    The matchRewards function attempts to pool funds from two matched users by reading their balances from userBalances. Since these balances remain at zero, the calculated rewards are always zero. This leads to the failure of the intended reward distribution process.

  • Fund Locking and Economic Disruption:
    Without updating userBalances, the contract’s economic model is broken. Deposited funds are effectively trapped in the contract, as there is no mechanism for users to withdraw their unaccounted funds, which can result in financial losses.

  • Severity Level:
    High. Although this vulnerability does not allow for an attacker to directly steal funds, it critically undermines the core functionality of the contract and risks locking substantial user funds, potentially leading to significant financial and reputational harm.

Impact

  • Loss or Locking of Funds:
    Users’ deposits may remain permanently locked in the contract, as they are not properly recorded or allocated, leading to potential loss of funds.

  • Disruption of Core Functionality:
    The fundamental feature of rewarding mutual likes fails because the reward mechanism relies on user balances that are never updated. This failure disrupts the intended economic model and user incentives.

  • Reputational and Legal Risks:
    The mishandling of user funds can erode trust in the platform, potentially exposing the project team to legal challenges and reputational damage.

Tools Used

Manual Code Review:
A detailed line-by-line analysis of the contract was performed to understand its intended flow and identify logical discrepancies.

Recommendations

Implement Balance Updates:
Modify the likeUser function to update the userBalances mapping with the deposited amount. For example:

function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
// Update the user balance with the deposited ETH
userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.