DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Funds Stuck of the User who Liked the Same user Later

rhaosec

Summary

It was found that the function matchRewards transfer all the funds(balances of liked and liker) to the multisig wallet where the owner are user A(Liker) and user B(liked) if the like is mutual. But it doesn't delete both the users `likes` mapping which results in the fund stuck of the user who liked after there mutual likes.

Scenario 1:

user A Liked user B
user A aslo like user C
Now User B liked User A before than user C so according to the likeRegistorycontract likeUser and matchRewardsfunction the balances of both the user are transfered to the MultiSigWalletin which all the balances of user A and user B is stored and A, B are the owners of the funds.
But now user C also like the user A and because of that mutual likes check in the likeRegistorycontract likeUser and matchRewardsfunction the balance of user C is only gets transfered to the MultiSigWallet because the balances of user A = 0 and also this time the owner is A, C and if A didn't approve the user C funds got stucked in the MultiSigWallet for ever.

Scenario 2:

user A(Malicious attacker 1 account) liked user B.
user C (Malicious attacker 2 account).
Now user B is going to like back user A but the transactions not get executed fully.
Malicious user observe the transaction in the memepool and like his account 1 i.e user A from account 2 i.e user C by front running and gets approved firstly by user B.
Now all the funds or balances from user A and user C (both the account of malicious user) are transfered to the MultiSigWalletand malicious user can withdraw its funds successfully, But now user C funds get in the MultiSigWallet where the owners are user A (Malicious attacker 1 account) and user B. An malicious user can do 2 things now can go on date with user B funds or cannot approve the transactions which leads to user B funds get stucked in the contract.

Vulnerability Details

observe both the function

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

function matchRewards(address from, address to) internal {

uint256 matchUserOne = userBalances[from];

uint256 matchUserTwo = userBalances[to];

userBalances[from] = 0;

userBalances[to] = 0;

uint256 totalRewards = matchUserOne + matchUserTwo;

uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;

uint256 rewards = totalRewards - matchingFees;

totalFees += matchingFees;

// Deploy a MultiSig contract for the matched users

MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);

// Send ETH to the deployed multisig wallet

(bool success,) = payable(address(multiSigWallet)).call{value: rewards}("");

require(success, "Transfer failed");

}

Impact

Funds Stuck in MultiSig – Users may lose access to funds if their counterpart refuses to approve withdrawals, disrupting the protocol’s functionality.
Exploitation via Front-Running – Attackers can manipulate the matching process to trap user funds in a MultiSig wallet they control.
Financial Loss & Trust Issues – Users may face fund losses, leading to dissatisfaction and reduced trust in the platform.

Tools Used

Manual Review

Recommendations

Add a proper code which clear the likes mapping of the user if got mutual like by someone.

Updates

Appeal created

n0kto Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_several_match_lead_to_multisig_with_no_funds

Likelihood: Medium, if anyone has 2 matches or more before reliking. Impact: Medium, the user won't contribute to the wallet.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.