DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Centralized Control Risk (Owner Can Steal All Funds)

paktiko

Root + Impact

Description

The contract owner has unrestricted access to withdraw fees through withdrawFees(). However, due to the critical bug where userBalances are never updated, all user funds sent to the contract could theoretically be withdrawn by the owner by manipulating the totalFees variable or through a contract upgrade. Additionally, the owner can arbitrarily ban users via blockProfile without any governance or appeal process.

function withdrawFees() external onlyOwner {

require(totalFees > 0, "No fees to withdraw");

uint256 totalFeesToWithdraw = totalFees;

totalFees = 0;

(bool success,) = payable(owner()).call{value: totalFeesToWithdraw}("");

require(success, "Transfer failed");

}

function blockProfile(address blockAddress) external onlyOwner {

uint256 tokenId = profileToToken[blockAddress];

require(tokenId != 0, "No profile found");

_burn(tokenId);

delete profileToToken[blockAddress];

delete _profiles[tokenId];

emit ProfileBurned(blockAddress, tokenId);

}

Risk

Likelihood:

Impact:
The owner can effectively rug-pull all user funds stuck in the contract. They can also ban any user without cause, destroying their profile NFT and preventing them from using the platform. This creates a single point of failure and trust assumption.

Proof of Concept

Since userBalances are never updated, all ETH sent to the contract accumulates without proper accounting. While the owner can only withdraw 'fees', they control the contract and could potentially upgrade it or find ways to access the stuck funds. The owner can also grief users by banning them after they've sent ETH but before matching.

Recommended Mitigation

Implement a timelock for admin functions, use a multi-signature wallet for ownership, or better yet, implement decentralized governance. Add an appeal process for profile bans and consider making the fee withdrawal function only withdraw actual fees (not all contract balance). Consider using OpenZeppelin's AccessControl for role-based permissions.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!