DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

On-chain data is public, and an attacker can access the `userBalance` information and choose to attack users with higher balances; furthermore, the reward distribution mechanism can also lead to unfair phenomena.

ethanwalker

Summary

  1. Due to the public nature of on-chain data, attackers can conduct targeted attacks on users with higher balances, paying 1 ETH to call likeUser in order to exploit potential gains;

  2. Since each user can match with multiple users, the following situation may arise:

    1. userA likes userB

    2. userA likes userC

    3. userB likes userA

    4. userC likes userA

    5. Clearly, at this point userA's balance is 0, which is unfair for userC.

Vulnerability Details

Regardless of the difference between userBalances[from] and userBalances[to], they will always be fully cleared and counted towards totalRewards, which poses a potential phishing attack risk for high-net-worth users; on the other hand, this is also unfair to users who successfully match later.

function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from];
uint256 matchUserTwo = userBalances[to];
userBalances[from] = 0;
userBalances[to] = 0;
uint256 totalRewards = matchUserOne + matchUserTwo;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}

Impact

  • High-net-worth users may be targeted by an attacker, for example, a user with a balance of 100 ETH could be attracted and deceived by an attacker using multiple 1 ETH accounts.

  • The attacker himself can also create multiple accounts from the start to fish, and the more these accounts are liked, the greater the potential gains for the attacker.

  • The reward distribution mechanism is unfair to users who match later.

Tools Used

  • Foundry

Recommendations

Modifying totalRewards to be calculated based on the user with the smaller balance not only helps defend against the aforementioned attacks but also prevents unfair situations.

function matchRewards(address from, address to) internal {
- uint256 matchUserOne = userBalances[from];
- uint256 matchUserTwo = userBalances[to];
+ uint256 matchBalance = userBalances[from] < userBalances[to] ? userBalances[from] : userBalances[to];
- userBalances[from] = 0;
+ userBalances[from] -= matchBalance;
- userBalances[to] = 0;
+ userBalances[to] -= matchBalance;
- uint256 totalRewards = matchUserOne + matchUserTwo;
+ uint256 totalRewards = matchBalance + matchBalance;
uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100;
uint256 rewards = totalRewards - matchingFees;
totalFees += matchingFees;
// Deploy a MultiSig contract for the matched users
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
// Send ETH to the deployed multisig wallet
(bool success, ) = payable(address(multiSigWallet)).call{value: rewards}("");
require(success, "Transfer failed");
}
Updates

Appeal created

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
ethanwalker Submitter
3 months ago
n0kto Lead Judge
3 months ago
n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.