DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Collusion Attack – Exploiting the Matching System to Extract Funds

lszb

Summary

The current matching mechanism allows users to collude to extract ETH unfairly. Attackers can farm likes from genuine users, then match with an accomplice to claim the pooled ETH. This results in honest users losing funds while colluders profit, making the system unsustainable.

Vulnerability Details

Issue:

The contract’s reward mechanism guarantees payouts to matched users, making it exploitable by:

Receiving likes from real users without reciprocating.
Creating a second account (or colluding with another user) to match with themselves.
Triggering a match to claim pooled ETH, even though the match is not genuine.
Withdrawing funds meant for real connections.

Attack Scenario:

Alice creates a profile but does not like anyone.
10 real users like Alice, each sending 1 ETH, locking 10 ETH in the system.
Alice colludes with Bob (or uses a second account).
The system pools Alice and Bob’s 2 ETH with the 10 ETH from real users, creating a 12 ETH payout.
Alice and Bob withdraw 12 ETH (minus any fee), effectively stealing 10 ETH from real users.
They repeat the attack using new accounts, draining the system.

Impact

Loss of user funds: Honest users pay ETH to like someone, expecting a fair matchmaking process, but colluders can extract it unfairly.
Infinite exploitation loop: Attackers can repeat the process endlessly, draining all ETH.
Unsustainable system: The platform will lose credibility, as users realize that colluders win while genuine users lose.

Tools Used

Manual Code Review: Identified logical flaws in the matchmaking and reward system.

Recommendation

To prevent collusion-based fund extraction, consider the following best practices:

Remove Guaranteed Payouts – Instead of automatically rewarding every match, distribute funds at fixed intervals (e.g., daily or weekly) to prevent attackers from controlling payouts.
Implement Anti-Sybil Measures – Require Proof-of-Humanity, KYC, or social verification to prevent attackers from using multiple fake accounts.
Require Meaningful Engagement – Ensure users actively like multiple profiles before being eligible for rewards, reducing passive exploitation.
Cap Maximum Rewards per Match – Limit the amount of ETH a single match can receive, preventing large-scale fund extraction.
Use a Reputation-Based System – Introduce trust scores or history-based eligibility to ensure rewards favor genuine users over new or suspicious accounts.

By removing predictability and enforcing engagement and trust, collusion becomes unprofitable, ensuring a fair and sustainable system.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.