DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

If a user doesn’t get matched, their deposited ETH remains locked in the `LikeRegistry` contract because there’s no refund mechanism in place

phylax

Summary

If a user never achieves a match on the LikeRegistry contract, there’s no refund mechanism in place, meaning the ETH they deposited remains permanently locked in the contract. This design flaw can lead to funds being inaccessible, effectively causing users to lose their deposits if no match occurs.

Tools Used

Manual code review

Recommendations

Add a unLikefunction to the LikeRegistry contract so that a user can get back the deposit if never matched:

function unLike(address liked) external {

require(likes[msg.sender][liked], "Not liked");

require(msg.sender != liked, "Cannot unlike yourself");

require(userBalances[msg.sender] >= 1 ether, "No balance to refund");

likes[msg.sender][liked] = false;

emit UnLiked(msg.sender, liked);

(bool success,) = payable(address(msg.sender)).call{value: 1 ether}("");

require(success, "Transfer failed");

}

Set a more strict require in likeUser function to 1 ETH :

function likeUser(address liked) external payable {

- require(msg.value >= 1 ether, "Must send at least 1 ETH");

+ require(msg.value == 1 ether, "Must send 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Should be added to user balance

userBalances[msg.sender] += msg.value;

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

And add an UnLikedevent to the top of contract:

+ event UnLiked(address indexed liker, address indexed liked);

Updates

Appeal created

n0kto Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Informational or Gas

Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.