DatingDapp

Summary

The LikeRegistry contract contains a critical issue where the msg.value provided in the likeUser() function is not properly recorded. As a result, users' balances are not updated, leading to a scenario where funds are permanently locked within the contract.

Vulnerability Details

When executing likeUser(), the contract enforces a rule that requires users to send at least 1 ether. However, while this condition is checked, there is no corresponding logic to update msg.sender's balance in userBalances. Consequently, when the matchRewards() function attempts to access these balances, both userBalances[from] and userBalances[to] are recorded as zero. This results in a complete failure of the fund distribution process, causing all funds to remain irretrievable within the contract.

Impact

The absence of balance updates in userBalances directly leads to permanent fund locking. Users will be unable to claim or retrieve their funds, rendering the contract unusable for its intended purpose. Additionally, as the contract accumulates locked funds over time, its overall functionality and trustworthiness are significantly compromised.

Tools Used

Manual Audit

Recommendations

To resolve this issue, the contract should explicitly update userBalances[msg.sender] when msg.value is provided through likeUser(). This ensures that the funds are correctly accounted for and can be properly utilized when executing matchRewards(). Additionally, implementing a withdrawal mechanism or an admin-controlled recovery function could serve as a safeguard to prevent indefinite fund locking in case of unforeseen failures in balance management.