Submission Details
Severity:
The `LikeRegistry::userBalances` mapping is never Updated in `LikeRegistry::likeUser()`
Description
The LikeRegistry::likeUser() function requires users to send 1 ETH when liking another user. However, the function never updates userBalances[msg.sender]
Impact
This results in users spending ETH without it being stored for future use in matchRewards(), leading to permanent fund loss if a match does not occur.
Proof of Concepts
Recommended mitigation
Add the following change to the code:
function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
+ userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates
Appeal created
n0kto 4 months ago
Submission Judgement Published Assigned finding tags:
finding_likeUser_no_userBalances_updated
Likelihood: High, always. Impact: High, loss of funds
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.