The likeUser function requires each caller to send at least 1 ETH (msg.value >= 1 ether). According to the protocol design, these payments should accumulate so that when a mutual match occurs, all previous like payments (minus a 10% fee) are pooled into a shared multisig wallet.
However, likeUser never updates userBalances[msg.sender]. The ETH is received by the contract but the user's balance mapping remains at zero. When matchRewards is triggered, it reads userBalances[from] and userBalances[to] — both are 0 — so totalRewards is 0, no fees are calculated, and 0 ETH is sent to the newly deployed MultiSig wallet. The 1 ETH per like is permanently trapped in the LikeRegistry contract.
Likelihood:
This occurs on every single call to likeUser. There is no code path that updates userBalances. The bug is triggered 100% of the time.
Impact:
All ETH sent to express genuine interest (1 ETH per like) is permanently locked in the LikeRegistry contract with no mechanism for retrieval by users.
The core value proposition — pooling match rewards into a shared multisig wallet for the couple's first date — is completely non-functional. The multisig wallets are deployed with zero balance.
The only entity that can extract the trapped ETH is the owner via withdrawFees, but totalFees also remains at 0 since it is calculated from the zero totalRewards. The ETH is permanently locked.
This test demonstrates that Alice and Bob each send 1 ETH to like each other, triggering a match and deploying a MultiSig wallet. Despite 2 ETH being sent to the contract, both userBalances remain 0, and the MultiSig receives 0 ETH. The 2 ETH is trapped in the LikeRegistry.
Add a line in likeUser to credit the sender's balance with the ETH they sent. This ensures matchRewards can correctly pool the accumulated ETH into the MultiSig wallet.
## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.