DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Submission Details

Severity: high

Valid

Can't store ETH

kinghannibal66

Root + Impact

Description

Can't track users balances once ETH has been sent to contract

// Root cause in the codebase with @> marks to highlight the relevant section

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import "./SoulboundProfileNFT.sol";

import "@openzeppelin/contracts/access/Ownable.sol";

import "./MultiSig.sol";

contract LikeRegistry is Ownable {

struct Like {

address liker;

address liked;

uint256 timestamp;

}

SoulboundProfileNFT public profileNFT;

uint256 immutable FIXEDFEE = 10;

uint256 totalFees;

mapping(address => mapping(address => bool)) public likes;

mapping(address => address[]) public matches;

mapping(address => uint256) public userBalances;

event Liked(address indexed liker, address indexed liked);

event Matched(address indexed user1, address indexed user2);

constructor(address _profileNFT) Ownable(msg.sender) {

profileNFT = SoulboundProfileNFT(_profileNFT);

}

//Problematic function

@> function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(

profileNFT.profileToToken(msg.sender) != 0,

"Must have a profile NFT"

);

require(

profileNFT.profileToToken(liked) != 0,

"Liked user must have a profile NFT"

);

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

function matchRewards(address from, address to) internal {

uint256 matchUserOne = userBalances[from];

uint256 matchUserTwo = userBalances[to];

userBalances[from] = 0;

userBalances[to] = 0;

uint256 totalRewards = matchUserOne + matchUserTwo;

uint256 matchingFees = (totalRewards * FIXEDFEE) / 100;

uint256 rewards = totalRewards - matchingFees;

totalFees += matchingFees;

// Deploy a MultiSig contract for the matched users

MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);

// Send ETH to the deployed multisig wallet

(bool success, ) = payable(address(multiSigWallet)).call{

value: rewards

}("");

require(success, "Transfer failed");

}

function getMatches() external view returns (address[] memory) {

return matches[msg.sender];

}

function withdrawFees() external onlyOwner {

require(totalFees > 0, "No fees to withdraw");

uint256 totalFeesToWithdraw = totalFees;

totalFees = 0;

(bool success, ) = payable(owner()).call{value: totalFeesToWithdraw}(

);

require(success, "Transfer failed");

}

/// @notice Allows the contract to receive ETH

receive() external payable {}

}

Risk

Likelihood:

Will occur whenever more than 1 ETH is sent

Impact:

Contract will not be able to track ETH balances

Proof of Concept

OVERVIEW:

payable function storage

ACTORS:

Victim- could send ETH but hace no way to track account userBalances

Protocol-Because the function is payable, ETH is transfered into contratcs balance and is tracked

SOLIDITY CODE:

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(

profileNFT.profileToToken(msg.sender) != 0,

"Must have a profile NFT"

);

@> userBalances[msg.sender] += msg.value; //Update code//

//track user balances//

require(

profileNFT.profileToToken(liked) != 0,

"Liked user must have a profile NFT"

);

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

Recommended Mitigation

- remove this code

No code to remove

+ add this code

//will track user balances within the contract//

+userBalances[msg.sender] += msg.value;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 18 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!