userBalances
is not saved anywhere, resulting in a critical issue that causes funds to be stuck in the contract with no actual way of getting them out.
In function likeUser
the balance of the user is not saved anywhere (like userBalances
for example). This leads to couple critical issues in function matchRewards
:
https://github.com/CodeHawks-Contests/2025-02-datingdapp/blob/main/src/LikeRegistry.sol#L50-L67
- userBalances
of both users will always be 0, meaning even if funds were added they won't be accounted for: resulting in Stuck Funds.
- This will lead to totalRewards
always being 0 too, essentially breaking a core functionality of the contract (having a pool of total rewards that both users can access), because even though the matchRewards
function will succeed, the total pool of rewards that is supposed to be used in the MultiSig Wallet will always be 0, making the whole project unusable.
- Finally, because of the previously mentioned problems, matchingFees
will also be 0, meaning that besides funds getting stuck, leading to problems with core functionalities, the protocol will not make any money from fees, potentially losing money for the owner of DatingDapp in running expenses.
Critical. The balance is not saved resulting in Stuck Funds, broken core functionality, contract not making money.
Manual Review.
Implement a way to save the balance of the users in function likeUser
.
Example:
Likelihood: High, always. Impact: High, loss of funds
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.