DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

likeUser() accepts overpayment without clear semantics

joshuapaul1

Root + Impact

Description

The README says users pay 1 ETH to like. The code accepts >= 1 ether
Once the accounting bug is fixed, overpayments would either inflate match rewards unexpectedly or, if only 1 ETH is credited, leave excess ETH stuck.

//@LikeRegistry.sol line 32

require(msg.value >= 1 ether, "Must send at least 1 ETH");

Risk

Likelihood:

High. This triggers on every single likeUser() call — no special conditions, no attacker required. Normal user interaction is sufficient to lose funds.

Impact:

High. Every user loses 100% of their payment. Overpayers lose even more with zero recourse. Funds cannot be recovered through the MultiSig (receives 0 ETH) or withdrawFees() (only moves totalFees, which is also 0)

Proof of Concept

Create new test contract in test folder

Ran with command: forge test --match-path OverpaymentPoC.t.sol -vvvv

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.19;

import "forge-std/Test.sol";

import "../src/LikeRegistry.sol";

import "../src/SoulboundProfileNFT.sol";

contract OverpaymentPoC is Test {

SoulboundProfileNFT profileNFT;

LikeRegistry likeRegistry;

address alice = address(0xA11CE);

address bob = address(0xB0B);

function setUp() public {

profileNFT = new SoulboundProfileNFT();

likeRegistry = new LikeRegistry(address(profileNFT));

// Alice overpays — she sends 5 ETH instead of the documented 1 ETH

vm.deal(alice, 5 ether);

// Bob pays exactly 1 ETH as the README intends

vm.deal(bob, 1 ether);

vm.prank(alice);

profileNFT.mintProfile("Alice", 25, "ipfs://alice");

vm.prank(bob);

profileNFT.mintProfile("Bob", 26, "ipfs://bob");

}

/// @notice Demonstrates that msg.value is silently accepted but never

/// credited to userBalances, so every wei above 1 ETH is lost

/// forever inside LikeRegistry with no withdrawal path for users.

function testOverpaymentSilentlyLost() public {

// ── Alice sends 5 ETH ────────────────────────────────────────────────

// likeUser only checks msg.value >= 1 ether (line 32).

// The full 5 ETH lands in the contract but is NEVER written to

// userBalances[alice]. The 4 ETH overpayment has no accounting entry.

vm.prank(alice);

likeRegistry.likeUser{value: 5 ether}(bob);

assertEq(address(likeRegistry).balance, 5 ether, "contract holds alice's 5 ETH");

assertEq(likeRegistry.userBalances(alice), 0, "alice's balance is 0 — overpayment untracked");

// ── Bob sends exactly 1 ETH ──────────────────────────────────────────

// Mutual like triggers matchRewards(bob, alice).

// matchRewards reads userBalances[bob] + userBalances[alice] → 0 + 0 = 0.

// rewards = 0, so the freshly deployed MultiSig receives 0 ETH.

vm.prank(bob);

likeRegistry.likeUser{value: 1 ether}(alice);

address multiSig = computeCreateAddress(address(likeRegistry), 1);

assertTrue(multiSig.code.length > 0, "MultiSigWallet was deployed");

// ── Post-match accounting ────────────────────────────────────────────

// Combined 6 ETH sits in LikeRegistry.

// MultiSig got 0 ETH — users cannot recover anything through it.

// No refund mechanism exists for overpaid amounts.

assertEq(address(likeRegistry).balance, 6 ether, "all 6 ETH stuck in registry");

assertEq(address(multiSig).balance, 0, "multisig received 0 ETH");

// ── Alice's 4 ETH overpayment is permanently unrecoverable ──────────

// Alice started with 5 ETH and spent all of it.

// She cannot withdraw — userBalances[alice] == 0.

// The owner can only withdraw totalFees, which is also 0 here.

assertEq(alice.balance, 0, "alice lost her entire 5 ETH, not just the required 1 ETH");

}

Recommended Mitigation

Deposits should be exactly 1 ETH at line 32

like here

- msg.value >= 1 ether

+msg.value == 1 ether

or clearly support variable deposits.

+ if(msg.value> 1 ether) { userBalance[msg.sender] += msg.value }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!