DatingDapp

First Flight #33

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

likeUser() Fails to Reset Likes After Profile Deletion and Recreation

Brute Force Bastards

Summary

The likeUser() function in the LikeRegistry contract does not properly reset the user's previous like history when they delete and recreate their profile. When a user mints a profile NFT and interacts with likeUser(), their likes are recorded. However, if they later burn their profile and mint a new one, their previous like records remain in storage. This prevents them from liking the same address again, even though their profile is technically new.

Vulnerability Details

The contract enforces a requirement that users must have a profile NFT before calling likeUser() by checking require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");. However, the mapping likes[msg.sender][B] = true; does not get reset when the profile is burned. As a result, when a user deletes their profile and later mints a new one, the like history remains unchanged.

Since the like state persists across different profile lifecycles, the user is unable to like the same recipient again, even though they have a newly minted profile. This issue makes the process of deleting and recreating a profile meaningless, as it does not truly reset the user’s state within the contract.

Impact

This flaw leads to unintended restrictions on user interactions. Users who delete and recreate their profile expect to start fresh, but due to the persistent storage of their like history, they are unable to like the same recipient again. This can create a frustrating user experience and may reduce engagement with the platform. Additionally, since burning a profile does not reset associated data, it introduces inconsistencies in how user interactions are managed.

Tools Used

Manual Audit

Recommendations

To resolve this issue, the contract should ensure that the user's like history is properly reset when they burn their profile. This can be achieved by modifying the profile deletion logic to remove all existing likeUser() records associated with the user. A potential fix is to iterate over the user’s previous likes and remove them upon profile deletion, ensuring that they can start fresh when they mint a new profile.

Updates

Appeal created

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid_burning_recreating_profile

Design choice to update your age, name and photo. Scam is not a valid impact.

Rewards breakdown

nSLOC

197

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.