Root + Impact

Description

When a mutual match occurs, matchRewards sweeps the entire accumulated balance of both users into a newly deployed 2-of-2 MultiSigWallet, see LikeRegistry.sol:66. The multisig requires both owners to approve every transaction, see MultiSig.sol:77. There is no timeout, no single-party redemption, no owner replacement, and no arbitration mechanism in MultiSig.sol.

If either party disappears after matching — whether due to lost access, intentional abandonment, or a low-cost griefing action (spending 1 ETH to match a high-balance target and then going silent) — the other party's full accumulated balance is permanently inaccessible. The victim loses not just 1 ETH for this match, but all ETH previously deposited across multiple likes.

Risk

Likelihood: Low

Economically rational attackers gain no direct financial benefit from executing this attack. Realistic triggers are accidental (key loss, user inactivity) or non-financial motivated (platform griefing, personal disputes). However, accidental fund lock due to normal user inactivity is a plausible real-world scenario.

Impact: High

The victim permanently loses their entire accumulated balance with no on-chain recovery path. The damage to the victim is disproportionate — a low-cost action (1 ETH like) by one party can lock a much larger sum belonging to the other. There is no mechanism for the protocol, an admin, or the remaining user to reclaim the stranded funds.

Recommended Mitigation

Add a time-locked single-party redemption mechanism to the MultiSigWallet. If one owner has not participated (no approval on any pending transaction) within a defined period (e.g., 30 days), the other owner should be permitted to withdraw their proportional share unilaterally.