DatingDapp

Summary

LikeRegistry::matchRewards transfers all funds received by matched users into one multiSig wallet and the MultiSig contract allows them to use the funds as they wish. If a pair of users decided to only match with each other, they can cash out all funds received from likes, which seems to violate the purpose of the app. E.g., User A and User B both receive 5 likes each before matching with each other for a minimum value of 1 ether per like. They then spend 1 ether each to match. This brings the total amount in the multiSig wallet to a minimum of 12 ether. Subtracting the 10% matching fees, they each gain 5.4 ether from this plan. Additionally, if a user has two different addresses they can use to create profiles on this app, they don't even need a partner for this attack.

Impact

Depending on the scamming skills of the users and the popularity of the app, this could lead to hundreds of thousands of dollars in profit for scammers at the cost of nothing but gas fees. Likelihood of this attack also seems high, with the track record of dating apps.

Proof of concept

Change the LikeRegistry::likeUser function to keep track of user balances (bug already reported).

Run the following test:

The users in this example cover matching fees and make a 0.7 ETH profit from just 1 like.

Mitigation

1. If two users spend 1 ether each for a match, the funds in the wallet should be limited to 2 ether (minus matching fees). This comes out to around $5k and should be more than enough for a first date.

2. There should be a time period after which likes that are not converted into matches should be refunded back to the sender. This would also help maintain the longevity of the app, keeping loss of funds to a minimum and encourage more people to send likes.