DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

LikeRegistry Fails To Credit User Deposits Resulting In Permanent Reward Loss

yashkhare9815

High: LikeRegistry Fails To Credit User Deposits Resulting In Permanent Reward Loss

Description

The intended protocol behavior is that users deposit ETH while liking another profile, and matched users later receive pooled rewards through a multisig wallet after protocol fees are deducted.
However, the deposited ETH is never credited to userBalances[msg.sender].
During matching, the protocol reads balances from userBalances, which remain zero for all users.
As a result, matched users receive zero rewards while all deposited ETH remains trapped inside the contract.

// Root cause in the codebase with @> marks to highlight the relevant section

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

// @> Missing accounting of deposited ETH

// userBalances[msg.sender] += msg.value;

likes[msg.sender][liked] = true;

if (likes[liked][msg.sender]) {

matchRewards(liked, msg.sender);

}

function matchRewards(address from, address to) internal {

// @> Always reads zero balances

uint256 matchUserOne = userBalances[from];

uint256 matchUserTwo = userBalances[to];

uint256 totalRewards = matchUserOne + matchUserTwo;

}

Risk

Likelihood:

Every successful likeUser() call accepts ETH deposits.
Every successful match executes reward distribution using zero-valued balances.

Impact:

Matched users receive zero rewards.
Deposited ETH becomes permanently trapped in the registry contract.
Protocol reward logic and fee distribution become non-functional.

Proof of Concept

By adding the a test case to simulate the likeRegistry we can , see that the user1 and user2 balance are zero.

function setUp() public {

soulboundNFT = new SoulboundProfileNFT();

vm.prank(owner);

likeRegistry = new LikeRegistry(address(soulboundNFT));

}

function testMatchedUsersReceiveZeroRewards() public {

vm.deal(user, 2 ether);

vm.deal(user2, 2 ether);

vm.prank(user);

soulboundNFT.mintProfile("Alice", 25, "ipfs://alice");

vm.prank(user2);

soulboundNFT.mintProfile("Bob", 26, "ipfs://bob");

vm.prank(user);

likeRegistry.likeUser{value: 1 ether}(user2);

vm.prank(user2);

likeRegistry.likeUser{value: 1 ether}(user);

// Entire 2 ETH remains trapped inside registry

assertEq(address(likeRegistry).balance, 2 ether);

// User balances were never credited

assertEq(likeRegistry.userBalances(user), 0);

assertEq(likeRegistry.userBalances(user2), 0);

}

Recommended Mitigation

By updating the userBalance in likeUser we can mitigate this issue.

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

+ userBalances[msg.sender] += msg.value;

likes[msg.sender][liked] = true;

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!