DatingDapp
AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The `LikeRegistry::userBalances` mapping is not updated inside the `LikeRegistry::likeUser` function, breaking the rewards functionality of the protocol

lukamm

The LikeRegistry::userBalances mapping is not updated inside the LikeRegistry::likeUser function, breaking the rewards functionality of the protocol

Description

When a user calls the LikeRegistry::likeUser function the LikeRegistry::userBalances mapping should be updated to track the total balance of that user from liking other profiles. The userBalances mapping is then used in the LikeRegistry::matchRewards function to create the multisig wallet for the two matched users with the sum of their total balances minus fees. Due to LikeRegistry::userBalances mapping not being updated, the rewards mechanism for the protocol is completely broken, and this is a loss of funds for the users.

function likeUser(address liked) external payable {
// @audit-info: There is no refund mechanism if the user sends more than 1 ETH
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
@> // @audit-info: There is no state update of the userBalances[msg.sender]
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}

Risk

Likelihood:

  • Every time a user calls LikeRegistry::likeUser, their balance is not tracked

  • This affects 100% of likes on the platform

Impact:

  • The entire rewards mechanism is broken - matched users receive a multisig wallet with 0 ETH instead of their pooled balances

  • All ETH sent via LikeRegistry::likeUser is permanently stuck in the contract with no way to recover

  • Users pay 1 ETH per like but receive nothing when they match

Proof of Concept

  1. User 1 creates their profile

  2. User 2 creates their profile

  3. User 1 likes User 2

  4. User 1 still has a LikeRegistry::userBalances of 0

Add the following test to your testSoulboundProfileNFT.t.sol file.

function testUserBalancesNotUpdated() public {
uint256 likePrice = 1 ether;
// Deal the user the like price
vm.deal(user, likePrice);
// User mints their profile
vm.prank(user);
soulboundNFT.mintProfile("Alice", 25, "ipfs://profileImage");
// User2 mints their profile
vm.prank(user2);
soulboundNFT.mintProfile("Bob", 23, "ipfs://profileImage");
// Get balances before the like
uint256 trackedBalanceBefore = likeRegistry.userBalances(user);
uint256 likeRegistryBalanceBefore = address(likeRegistry).balance;
// User likes User2
vm.prank(user);
likeRegistry.likeUser{value: likePrice}(address(user2));
// Get balances after the like
uint256 trackedBalanceAfter = likeRegistry.userBalances(user);
uint256 likeRegistryBalanceAfter = address(likeRegistry).balance;
// Assertions
assertEq(trackedBalanceAfter, trackedBalanceBefore);
assertEq(likeRegistryBalanceAfter, likeRegistryBalanceBefore + likePrice);
}

Recommended Mitigation

Update the userBalances mapping in the LikeRegistry::likeUser function.

Note: The code for refunds related to another finding for LikeRegistry::likeUser has been added here to maintain consistency.

+ error TransferFailed();
+ uint256 public constant LIKE_PRICE = 1 ether;
function likeUser(address liked) external payable {
// @audit-info: There is no refund mechanism if the user sends more than 1 ETH
- require(msg.value >= 1 ether, "Must send at least 1 ETH");
+ require(msg.value >= LIKE_PRICE, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
+ userBalances[msg.sender] += LIKE_PRICE;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
// Check if mutual like
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
+ if (msg.value > LIKE_PRICE) {
+ uint256 amountToRefund = msg.value - LIKE_PRICE;
+ (bool success, ) = payable(msg.sender).call{value: amountToRefund}("");
+ if (!success) {
+ revert TransferFailed();
+ }
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 20 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!