likeUser() locks ETH permanently with no unlike or refund mechanism when a match never occurs
Root + Impact
Description
-
likeUser()requires at least 1 ETH per like. The ETH is sent toLikeRegistryand thelikesmapping is set. If the liked user never reciprocates, the ETH is permanently locked in the contract with no way to withdraw. -
The contract has no
unlike()function, norefund()function, and no timeout after which a liker can reclaim their ETH.userBalancesis never credited (H-01), so there is no balance to claim even if a withdrawal path existed. The only ETH exit iswithdrawFees()(owner only) and the MultiSig transfer inmatchRewards.
Risk
Likelihood:
Any user who likes someone and never receives a mutual like permanently loses their ETH. This is the default outcome for most likes on any dating platform.
Impact:
All ETH sent via
likeUserfor non-matching pairs is permanently locked inLikeRegistry. The owner can only withdrawtotalFees, which are 10% ofmatchRewards— not the locked like ETH. Every unreciprocated 1+ ETH like is a permanent loss to the sender.
Proof of Concept
Alice likes Bob and sends 1 ETH. Bob never reciprocates. The test verifies that LikeRegistry holds Alice's ETH indefinitely. The commented-out lines show that no unlike or refund function exists to call — the contract simply has no exit path for this ETH.
Alice's 1 ETH sits in LikeRegistry indefinitely with no recovery path.
Recommended Mitigation
Track each liker's outstanding balance and provide a withdrawal function callable after a timeout:
Lead Judging Commences
[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.
## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.