DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-4] Funds Not Tracked in LikeRegistry.likeUser

cybernerd

Root + Impact

Description

LikeRegistry.likeUser should record user deposits so matchRewards can calculate matching rewards and fees correctly.
The function accepts ETH but never credits userBalances[msg.sender], so funds accumulate in the contract without being attributed to the liker.

function matchRewards(address from, address to) internal {

uint256 matchUserOne = userBalances[from];

uint256 matchUserTwo = userBalances[to];

@> // userBalances[from/to] are read here, but likeUser never credits them

userBalances[from] = 0;

userBalances[to] = 0;

Risk

Likelihood:

Users send ETH to likeUser every time they like another profile.
The contract balance increases, but userBalances remains zero for all users.

Impact:

Matching reward distribution fails because the contract does not know how much each user deposited.
ETH becomes effectively locked in the contract and cannot be recovered by owners or participants.

Proof of Concept

This PoC from test/LikeRegistryFundsLocked.t.sol demonstrates that user deposits are not recorded in userBalances and therefore become trapped:

function test_fundsLockedAfterLikes() public {

// user1 likes user2

vm.prank(user1);

likeReg.likeUser{value: 1 ether}(user2);

// user2 likes user1 -> match

vm.prank(user2);

likeReg.likeUser{value: 1 ether}(user1);

// Contract balance should hold the 2 ETH sent by likes

assertEq(address(likeReg).balance, 2 ether);

// But userBalances[user1] and userBalances[user2] are both still 0

assertEq(likeReg.userBalances(user1), 0);

assertEq(likeReg.userBalances(user2), 0);

// Owner withdrawFees should revert because totalFees == 0 (no fees recorded)

vm.expectRevert(bytes("No fees to withdraw"));

likeReg.withdrawFees();

}

Run this test with:

forge test -vvv --match-path test/LikeRegistryFundsLocked.t.sol

Recommended Mitigation

Credit user deposits to userBalances immediately upon receipt:

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

+ userBalances[msg.sender] += msg.value;

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 7 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!