DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

ETH Lost: `msg.value` Deposited but `userBalances` Never Updated

pratamaajip01

[CRITICAL] ETH Lost: `msg.value` Deposited but `userBalances` Never Updated

File: sources/2025-02-datingdapp/src/LikeRegistry.sol
Lines: 30–62

Summary

When a user calls likeUser() and sends ETH, the ETH is accepted into LikeRegistry but userBalances[msg.sender] is never incremented. The matchRewards() function reads from userBalances, which remains 0 for all users. Matched users receive 0 ETH rewards — their deposited ETH is permanently locked in the contract.

Vulnerability Details

// LikeRegistry.sol — likeUser()

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

// msg.value is NEVER stored anywhere!

likes[msg.sender][liked] = true;

if (likes[liked][msg.sender]) {

matchRewards(liked, msg.sender); // called without ever storing msg.value

}

// matchRewards()

function matchRewards(address from, address to) internal {

uint256 matchUserOne = userBalances[from]; // Always 0!

uint256 matchUserTwo = userBalances[to]; // Always 0!

userBalances[from] = 0;

userBalances[to] = 0;

uint256 totalRewards = matchUserOne + matchUserTwo; // = 0

uint256 rewards = totalRewards - matchingFees; // = 0

// MultiSig receives 0 ETH; all paid ETH stuck in LikeRegistry forever

}

PoC

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import "forge-std/Test.sol";

import "../src/LikeRegistry.sol";

import "../src/SoulboundProfileNFT.sol";

contract MissingBalanceTest is Test {

LikeRegistry registry;

SoulboundProfileNFT nft;

address alice = address(0xA);

address bob = address(0xB);

function setUp() public {

nft = new SoulboundProfileNFT();

registry = new LikeRegistry(address(nft));

vm.deal(alice, 10 ether);

vm.deal(bob, 10 ether);

vm.prank(alice); nft.mintProfile("Alice", 25, "ipfs://alice");

vm.prank(bob); nft.mintProfile("Bob", 26, "ipfs://bob");

}

function testMatchRewardsAreZero() public {

vm.prank(alice);

registry.likeUser{value: 1 ether}(bob);

vm.prank(bob);

registry.likeUser{value: 1 ether}(alice); // triggers match

// 2 ETH paid in, 0 ETH sent to MultiSig — all stuck in registry

assertEq(address(registry).balance, 2 ether, "ETH STUCK in registry!");

}

Impact

All ETH paid by users is permanently stuck in LikeRegistry.
Every matched pair receives 0 ETH in their MultiSig wallet.
Users have no mechanism to reclaim their ETH.
The protocol appears to function (matches fire correctly) but silently locks all funds.
CRITICAL — direct, complete loss of all user funds.

Tools Used

Manual code review
Foundry PoC

Recommendations

Add userBalances[msg.sender] += msg.value; inside likeUser() before the match check:

likes[msg.sender][liked] = true;

+ userBalances[msg.sender] += msg.value;

emit Liked(msg.sender, liked);

if (likes[liked][msg.sender]) {

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!