DatingDapp
AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Critical Accounting Error: User Balances Never Credited, Funds Lost Forever

wanzablock

Root + Impact

Description

  • Describe the normal behavior in one or more sentences

  • The contract has a fatal flaw: userBalances mapping is never updated when users send ETH via likeUser()

  • Explain the specific issue or problem in one or more sentences

  • Critical - All user funds permanently locked

// Root cause in the codebase with @> marks to highlight the relevant section
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
// ... validation checks
likes[msg.sender][liked] = true;
// ❌ MISSING: userBalances[msg.sender] += msg.value;
if (likes[liked][msg.sender]) {
matchRewards(liked, msg.sender); // Will use balance of 0!
}
}
function matchRewards(address from, address to) internal {
uint256 matchUserOne = userBalances[from]; // Always 0!
uint256 matchUserTwo = userBalances[to]; // Always 0!
uint256 totalRewards = matchUserOne + matchUserTwo; // Always 0!
}

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • All user funds permanently locked

  • Reason 2

Impact:

  • Impact 1

  • 100% of user funds are locked - ETH sent to contract cannot be recovered

  • No rewards ever distributed to matched users

  • Impact 2

Proof of Concept

// Test scenario
function testFundsLocked() public {
// Alice and Bob create profiles
profileNFT.createProfile(alice);
profileNFT.createProfile(bob);
// Alice likes Bob with 1 ETH
vm.prank(alice);
registry.likeUser{value: 1 ether}(bob);
// Bob likes Alice with 1 ETH (mutual match)
vm.prank(bob);
registry.likeUser{value: 1 ether}(alice);
// Check balances
assertEq(userBalances[alice], 0); // Still 0!
assertEq(userBalances[bob], 0); // Still 0!
assertEq(address(registry).balance, 2 ether); // Locked forever
// MultiSig receives 0 ETH
address multiSig = registry.matches(alice, 0);
assertEq(address(multiSig).balance, 0); // No rewards distributed!
}

Recommended Mitigation

- remove this code
+ add this code
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
// ✅ CRITICAL FIX: Credit the user's balance
userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
function withdrawUnmatchedFunds() external {
require(userBalances[msg.sender] > 0, "No balance");
uint256 amount = userBalances[msg.sender];
userBalances[msg.sender] = 0;
(bool success,) = payable(msg.sender).call{value: amount}("");
require(success, "Transfer failed");
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!