DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

likeUser() never credits msg.value to userBalances — all ETH permanently locked

diegotrigueros

Root + Impact

Description

When a user calls likeUser() and sends >= 1 ETH, the ETH is received by the
LikeRegistry contract but is NEVER credited to userBalances[msg.sender].
When a mutual match occurs, matchRewards() reads userBalances[from] and
userBalances[to], which are both 0. The multisig wallet receives 0 ETH,
and all ETH sent by users is permanently locked in the LikeRegistry contract
with no mechanism to recover it.

This completely breaks the core protocol functionality.

// src/LikeRegistry.sol:31-48

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

// @> BUG: msg.value is NEVER added to userBalances[msg.sender]

// @> Missing: userBalances[msg.sender] += msg.value;

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

// @> matchRewards reads userBalances which are always 0

}

Risk

Likelihood: Certain

Every single call to likeUser() triggers this bug
There is no alternative code path that credits userBalances

Impact: Critical

ALL ETH sent by ALL users is permanently locked — total loss of funds
Matched couples receive 0 ETH in their multisig wallet
The core value proposition of the protocol (pooled date funds) is broken
No recovery mechanism exists — locked ETH cannot be withdrawn
(withdrawFees only covers totalFees, which is also 0)

Proof of Concept

The following test demonstrates that after two users like each other and a
match is triggered, the LikeRegistry contract retains all 2 ETH while both
userBalances remain at 0 — proving the funds are permanently locked.

function testETHLockedForever() public {

// Setup

SoulboundProfileNFT nft = new SoulboundProfileNFT();

LikeRegistry registry = new LikeRegistry(address(nft));

address alice = address(0x1);

address bob = address(0x2);

vm.deal(alice, 10 ether);

vm.deal(bob, 10 ether);

// Both mint profiles

vm.prank(alice);

nft.mintProfile("Alice", 25, "ipfs://alice");

vm.prank(bob);

nft.mintProfile("Bob", 27, "ipfs://bob");

// Alice likes Bob — sends 1 ETH

vm.prank(alice);

registry.likeUser{value: 1 ether}(bob);

// Bob likes Alice — sends 1 ETH, triggers match

vm.prank(bob);

registry.likeUser{value: 1 ether}(bob);

// Result: LikeRegistry holds 2 ETH, multisig received 0 ETH

assertEq(address(registry).balance, 2 ether); // All ETH stuck

assertEq(registry.userBalances(alice), 0); // Never credited

assertEq(registry.userBalances(bob), 0); // Never credited

}

Recommended Mitigation

Add the missing balance credit line immediately after recording the like,
so that msg.value is properly tracked before any match logic executes.

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

require(!likes[msg.sender][liked], "Already liked");

require(msg.sender != liked, "Cannot like yourself");

require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");

require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");

likes[msg.sender][liked] = true;

+ userBalances[msg.sender] += msg.value;

emit Liked(msg.sender, liked);

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!