likeUser never credits userBalances — all ETH sent by users is permanently locked
Root + Impact
Description
-
LikeRegistry.likeUser is designed to collect a fee (≥ 1 ETH) from each user who likes another, accumulate those balances, and distribute them as rewards to matched users via matchRewards.
-
LikeUser accepts msg.value but never records it in userBalances[msg.sender]. The matchRewards function reads userBalances[from] and userBalances[to], both of which are always 0. The deployed MultiSigWallet therefore receives 0 ETH, and every ETH sent by users accumulates in the contract with no mechanism for recovery.
Risk
Likelihood:
-
This occurs every time any user calls likeUser with ETH, which is required for the function to succeed.
-
All users of the protocol are affected from the first transaction onward — there is no scenario where the function works correctly as written.
Impact:
-
100% of ETH sent to the protocol is permanently locked in the LikeRegistry contract with no recovery path for users.
-
Matched users receive a MultiSigWallet with 0 ETH — the core reward mechanism of the protocol is completely non-functional.
-
totalFees never accumulates, so withdrawFees also always reverts, denying the owner their fee income.
Proof of Concept
This test traces the full happy-path flow — two users match — and demonstrates that despite each sending 1 ETH, no value reaches the MultiSig and no fees are recorded:
Setup — Alice and Bob each mint a profile NFT. Both are funded with 10 ETH.
Alice likes Bob — She calls likeUser{value: 1 ether}(bob). The function accepts 1 ETH. Because userBalances[alice] is never written, it remains 0.
Bob likes Alice — He calls likeUser{value: 1 ether}(alice). This triggers the mutual-match branch. matchRewards(alice, bob) is called, which reads userBalances[alice] = 0 and userBalances[bob] = 0. totalRewards = 0, rewards = 0. A MultiSigWallet is deployed and receives 0 ETH.
Locked funds — address(likeRegistry).balance is now 2 ETH. There is no user-facing withdrawal function, and withdrawFees() reverts with "No fees to withdraw" because totalFees is also 0.
Result — Both users permanently lose 1 ETH each. The deployed MultiSig is empty and useless.
To run: forge test --match-test test_ethLockedForever -vvvv
Recommended Mitigation
Credit userBalances inside likeUser before any conditional logic:
Lead Judging Commences
[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.
## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.