DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

LikeRegistry.likeUser() Accepts Arbitrary msg.value Above 1 ETH – Excess Funds Permanently Trapped

bamgboseoluwole83

Root + Impact

Description

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentences

# LikeRegistry.likeUser() Accepts Arbitrary msg.value Above 1 ETH – Excess Funds Permanently Trapped

## Root + Impact

### Description

The `LikeRegistry.likeUser()` function validates that the incoming deposit is sufficient by verifying `msg.value >= 1 ether`. However, it does not validate or restrict the amount to an exact threshold.

If an end-user inadvertently transactions an amount greater than 1 ETH, the contract executes completely and absorbs the full balance. Because the protocol fails to update `userBalances` to reflect the excess margin or trigger a state update, the extra value is permanently retained in the `LikeRegistry` address with zero distribution mechanics.

### Risk

* **Impact**: High - Users who transacted extra margins lose their funds entirely.

* **Likelihood**: High - Accidental typos or misconfigurations when interacting with the function directly will trap funds with no mechanism for retrieval.

---

## Proof of Concept

The test below confirms that when `likeUser` receives 5 ETH instead of the baseline 1 ETH fee requirement, the system successfully processes the interaction but records a zero state value under `userBalances(alice)`. The extra 4 ETH remains stuck inside the contract logic.

```solidity

function test_ExcessEthTrapped() public {

vm.prank(alice);

profileNFT.mintProfile("Alice", 25, "imageHash");

vm.prank(bob);

profileNFT.mintProfile("Bob", 28, "imageHash");

// Alice likes Bob with 5 ETH instead of 1

vm.deal(alice, 5 ether);

vm.prank(alice);

likeRegistry.likeUser{value: 5 ether}(bob);

// All 5 ETH trapped in contract

assertEq(address(likeRegistry).balance, 5 ether);

assertEq(likeRegistry.userBalances(alice), 0); // Still zero

}

```

---

## Recommended Mitigation

Enforce an exact match limit validation to stop higher values, or modify the deposit to safely record or refund excess sent.

```diff

- // remove this code

+ require(msg.value == 1 ether, "Must send exactly 1 ETH");

```

Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2

Impact:

Impact 1
Impact 2

Proof of Concept

Recommended Mitigation

- remove this code

+ add this code

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!