DatingDapp

AI First Flight #6

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Submission Details

Severity: high

Valid

All ETH paid via likeUser() becomes permanently stuck in LikeRegistry because userBalances is never updated

wiseelf511

Root + Impact

Description `likeUser()` requires the caller to send at least 1 ETH (`msg.value >= 1 ether`), and the contract has a `receive()` function so it accepts and holds that ETH. However, `msg.value` is never written to `userBalances[msg.sender]` anywhere in the contract — `userBalances` is declared but never has a setter.

When a mutual like creates a match, matchRewards(from, to) is called. It reads userBalances[from] and userBalances[to], both of which are always 0. So:

totalRewards = 0
matchingFees = (0 * 10) / 100 = 0
rewards = 0
totalFees += 0 (stays 0 forever)

Describe the normal behavior in one or more sentences
Explain the specific issue or problem in one or more sentence

Risk

Likelihood:

Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
Reason 2Every 1 ether (minimum) sent by users when liking someone becomes unrecoverable. No user, matched couple, or the contract owner has any way to withdraw it. This is a direct, total, permanent loss of user funds.

Impact:

Impact 1 This isn't an edge case or attack; it happens automatically and unavoidably on every single likeUser() call, including normal, intended usage.
Impact 2

Proof of Concept

Alice and Bob both mint profile NFTs via SoulboundProfileNFT.

Alice calls likeUser(Bob) with msg.value = 1 ether. likes[Alice][Bob] = true. userBalances[Alice] remains 0.

Bob calls likeUser(Alice) with msg.value = 1 ether. likes[Bob][Alice] = true, mutual match detected, matchRewards(Alice, Bob

Recommended Mitigation

function likeUser(address liked) external payable {

require(msg.value >= 1 ether, "Must send at least 1 ETH");

...

userBalances[msg.sender] += msg.value; // credit the deposit

likes[msg.sender][liked] = true;

emit Liked(msg.sender, liked);

if (likes[liked][msg.sender]) {

matches[msg.sender].push(liked);

matches[liked].push(msg.sender);

emit Matched(msg.sender, liked);

matchRewards(liked, msg.sender);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.

## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!