DatingDapp

Summary

The LikeRegistry contract is intended to facilitate reward distribution upon mutual likes by collecting ETH deposits via the likeUser function. However, if a user does not receive a mutual like, there is no mechanism in place to withdraw their deposited ETH. This results in funds being permanently locked within the contract, undermining user trust and financial integrity.

Vulnerability Details

• Lack of Withdrawal Mechanism:
  The contract records user deposits in the userBalances mapping without providing any function for users to withdraw their funds in the event that a mutual like is never achieved.

• Funds Permanently Locked:
  Without a withdrawal option, any ETH deposited by a user who does not receive a mutual like remains permanently trapped in the contract, potentially leading to significant financial loss.

• Severity Level:
  High. Although this vulnerability does not directly allow an attacker to steal funds, it critically jeopardizes user funds by preventing recovery in the absence of a match, thereby causing potential financial and reputational damage.

Impact

• Permanent Loss or Locking of Funds:
  Users may permanently lose their deposited ETH if they do not receive a mutual like, as the funds remain locked in the contract with no means for recovery.

• User Dissatisfaction and Erosion of Trust:
  The inability to withdraw funds can lead to significant user dissatisfaction and may severely damage the platform's reputation.

• Economic Disruption:
  The locked funds can distort the contract’s economic model and overall functionality, affecting liquidity and user participation.

Tools Used

Manual Code Review:
A detailed analysis of the contract was performed to understand how user deposits are managed and to identify the absence of any withdrawal functionality.

Recommendations

Implement a Withdrawal Mechanism:
Introduce a function that allows users to withdraw their deposited ETH if a mutual like is not achieved.