DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Front-Running Vulnerability in Like System

paktiko

Root + Impact

Description

The likeUser function is vulnerable to front-running attacks. When a user submits a like transaction, it's visible in the mempool. An attacker can see this and front-run by quickly liking the same target user with a higher gas price. If the target had already liked the original user, the attacker triggers the match instead, stealing the match and potentially the rewards.

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

// ... validation ...

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// Check if mutual like - FRONT-RUNNABLE

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

Risk

Likelihood:

Impact:
Attackers can steal matches from legitimate users by front-running their transactions. This is especially problematic because matches trigger the deployment of MultiSig wallets and fund transfers. Users may lose their intended matches to bots or malicious actors monitoring the mempool.

Proof of Concept

// Scenario:

// 1. Alice has already liked Bob

// 2. Bob submits transaction to like Alice (creating mutual match)

// 3. Attacker sees Bob's pending transaction in mempool

// 4. Attacker front-runs with higher gas to like Alice

// 5. If Alice had liked Attacker before, Attacker gets the match

// 6. Bob's transaction still succeeds but no match occurs

Recommended Mitigation

Implement a commit-reveal scheme for likes, use a private mempool service like Flashbots, or add a time delay between like and match confirmation. Alternatively, implement a match confirmation step where both parties must confirm the match after initial likes.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!