DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Funds Lost Permanently Due to `userBalances` Mapping Not Updated for Matched Users

hanz

Summary

Users liked each other to reach "matched" status. The contract promises their previous "likes" to be refunded with a fee. However, LikeRegistry's matchRewards function will always refund 0 ether because likeUser function never put into account of users previously sent funds into userBalances.

Vulnerability Detail

When a user like another user, they send at least 1 ether. This payment is never accounted into userBalances mapping.

// LikeRegistry.sol
function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}

The userBalance mapping is used to determine the amount to refund for matched couples.

// LikeRegistry.sol
function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}

PoC

function testMatchedFundsLost() public {
address alice = address(1);
address bob = address(2);
SoulboundProfileNFT sb = new SoulboundProfileNFT();
LikeRegistry lr = new LikeRegistry(address(sb));
vm.prank(alice);
sb.mintProfile("Alice", 25, "ipfs://profileImage");
vm.prank(bob);
sb.mintProfile("Bob", 27, "ipfs://profileImage");
vm.prank(alice);
vm.deal(alice, 1 ether);
lr.likeUser{value: 1 ether}(bob);
vm.prank(bob);
vm.deal(bob, 1 ether);
lr.likeUser{value: 1 ether}(alice);
// Multisig wallet must have funds
assertNotEq(address(0xffD4505B3452Dc22f8473616d50503bA9E1710Ac).balance, 0);
}

Impact

  • Users lost their first date funds

Recommendation

Add a line in likeUser function to update userBalances for caller.

// LikeRegistry.sol
function likeUser(
address liked
) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
+ userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Updates

Appeal created

n0kto Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding_likeUser_no_userBalances_updated

Likelihood: High, always. Impact: High, loss of funds

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.