DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

`userBalances` Is Never Updated – Matching Rewards Are Always Zero

0x68

`userBalances` Is Never Updated – Matching Rewards Are Always Zero

Description:

The userBalances mapping is never updated anywhere in the contract, meaning all balances remain at 0, and matchRewards will always compute a totalRewards of 0.

Impact:

Users never receive any rewards since userBalances[from] and userBalances[to] are always 0.
The matchRewards function becomes useless because it only distributes rewards that don’t exist.
Total fees (totalFees) will always be 0, making withdrawFees ineffective.

Proof of Concept:

Nowhere in the contract is userBalances[msg.sender] updated.

The likeUser function receives ETH, but it doesn’t store it in userBalances.
When matchRewards is called, userBalances[from] and userBalances[to] will always be 0.

function matchRewards(address from, address to) internal {

uint256 matchUserOne = userBalances[from]; // Always 0

uint256 matchUserTwo = userBalances[to]; // Always 0

userBalances[from] = 0;

userBalances[to] = 0;

uint256 totalRewards = matchUserOne + matchUserTwo; // Always 0

uint256 matchingFees = (totalRewards * FIXEDFEE) / 100; // Always 0

uint256 rewards = totalRewards - matchingFees; // Always 0

totalFees += matchingFees; // Always 0

MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);

(bool success,) = payable(address(multiSigWallet)).call{value: rewards}(""); // Sending 0 ETH

require(success, "Transfer failed");

}

Recommended Mitigation:

When a user likes another user, store their sent ETH in userBalances[msg.sender].

✅ Fixed Code:

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// ✅ Store ETH balance for future rewards

userBalances[msg.sender] += msg.value;

// ✅ Refund any excess ETH

if (msg.value > 1 ether) {

(bool success,) = payable(msg.sender).call{value: msg.value - 1 ether}("");

require(success, "Refund failed");

}

// ✅ If mutual like, trigger rewards

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

Updates

Appeal created

n0kto Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

DatingDapp

`userBalances` Is Never Updated – Matching Rewards Are Always Zero

userBalances Is Never Updated – Matching Rewards Are Always Zero

Description:

Impact:

Proof of Concept:

Recommended Mitigation:

✅ Fixed Code:

Appeal created

finding_likeUser_no_userBalances_updated

Rewards breakdown

Live

Judging

Appeals

Appeals Review

Rewards Distribution

FAQs

`userBalances` Is Never Updated – Matching Rewards Are Always Zero