Root + Impact

Description

• The `likeUser()` function does not validate that the `liked` parameter is not the zero address. While there's a check to prevent users from liking themselves (`require(msg.sender != liked)`), there's no explicit check for the zero address. Users could waste gas by attempting to like the zero address, and this could create invalid state entries.

  ```solidity

  function likeUser(address liked) external payable {

  require(msg.value >= 1 ether, "Must send at least 1 ETH");

  require(!likes[msg.sender][liked], "Already liked");

  require(msg.sender != liked, "Cannot like yourself");

  // @> Missing: require(liked != address(0), "Cannot like zero address");

  require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

  require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

  // ...

  }

  ```

  ### Root Cause

  The function validates that the liked user has a profile NFT, which would fail for the zero address, but this check happens after other validations and doesn't provide a clear error message. Additionally, the zero address check should be explicit for better code clarity and gas efficiency.

Risk

Likelihood:

• * Users are unlikely to intentionally like the zero address

  * This could occur due to UI bugs or programming errors

  * The profile NFT check will eventually revert, but only after other checks pass

Impact:

• * Users waste gas on failed transactions

  * Unclear error messages when zero address is used

  * Potential for invalid state if the profile NFT check is ever modified

  * Poor user experience

Proof of Concept

Recommended Mitigation