userBalances Never Credited in likeUser — All Matched ETH Permanently Locked
Missing userBalances Credit Causes All ETH to Be Permanently Locked
Description
LikeRegistry is designed to collect 1 ETH per like, track each user's contributions in userBalances, and pool both balances (minus 10% fee) into a newly deployed
MultiSigWallet on a mutual match.likeUser accepts msg.value and deposits it into the contract, but never executes userBalances[msg.sender] += msg.value. When matchRewards fires on a mutual like,
it reads userBalances[from] and userBalances[to] — both permanently zero — computes totalRewards = 0, and sends 0 ETH to the MultiSig. All ETH paid via likeUser
accumulates in the contract with no exit path: totalFees stays 0, so withdrawFees() also cannot recover it.
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
@> // msg.value is received but userBalances[msg.sender] is NEVER updated
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);
if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
function matchRewards(address from, address to) internal {
@> uint256 matchUserOne = userBalances[from]; // always 0
@> uint256 matchUserTwo = userBalances[to]; // always 0
userBalances[from] = 0;
userBalances[to] = 0;
@> uint256 totalRewards = matchUserOne + matchUserTwo; // 0 + 0 = 0
uint256 matchingFees = (totalRewards * FIXEDFEE) / 100; // 0
uint256 rewards = totalRewards - matchingFees; // 0
totalFees += matchingFees; // 0 added
MultiSigWallet multiSigWallet = new MultiSigWallet(from, to);
@> (bool success,) = payable(address(multiSigWallet)).call{value: rewards}(""); // sends 0 ETH
require(success, "Transfer failed");
}
Risk
Likelihood:
Every single likeUser call triggers this bug — it activates on the very first ETH payment regardless of whether a match ever occurs.
Every mutual match deploys a MultiSigWallet that receives 0 ETH while both users' payments remain permanently trapped; the protocol is broken from the moment of
deployment.
Impact:
All ETH paid by every user across all likeUser calls is permanently locked in LikeRegistry with no withdrawal path — neither users nor the owner can recover it
(totalFees is always 0 so withdrawFees reverts with "No fees to withdraw").Matched users receive a functional but empty MultiSig wallet — 0 ETH available for their first date despite each having paid 1+ ETH.
Proof of Concept
function test_H01_AllETHPermanentlyLocked() public {
vm.prank(alice);
profileNFT.mintProfile("Alice", 25, "ipfs://alice");
vm.prank(bob);
profileNFT.mintProfile("Bob", 26, "ipfs://bob");
vm.deal(alice, 1 ether);
vm.prank(alice);
likeRegistry.likeUser{value: 1 ether}(bob);
// userBalances[alice] is still 0 — never credited
assertEq(likeRegistry.userBalances(alice), 0);
vm.deal(bob, 1 ether);
vm.prank(bob);
likeRegistry.likeUser{value: 1 ether}(alice); // triggers match
// Contract holds 2 ETH — permanently trapped
assertEq(address(likeRegistry).balance, 2 ether);
// Owner cannot withdraw anything — totalFees = 0
vm.prank(owner);
vm.expectRevert("No fees to withdraw");
likeRegistry.withdrawFees();
assertEq(likeRegistry.userBalances(alice), 0);
assertEq(likeRegistry.userBalances(bob), 0);
}
Recommended Mitigation
function likeUser(address liked) external payable {
require(msg.value >= 1 ether, "Must send at least 1 ETH");
require(!likes[msg.sender][liked], "Already liked");
require(msg.sender != liked, "Cannot like yourself");
require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT");
require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT");
-
userBalances[msg.sender] += msg.value;
likes[msg.sender][liked] = true;
emit Liked(msg.sender, liked);if (likes[liked][msg.sender]) {
matches[msg.sender].push(liked);
matches[liked].push(msg.sender);
emit Matched(msg.sender, liked);
matchRewards(liked, msg.sender);
}
}
Lead Judging Commences
[H-01] After the user calls the `likeUser` function, the userBalance does not increase by the corresponding value.
## Description User A calls `likeUser` and sends `value > 1` ETH. According to the design of DatingDapp, the amount for user A should be accumulated by `userBalances`. Otherwise, in the subsequent calculations, the balance for each user will be 0. ## Vulnerability Details When User A calls `likeUser`, the accumulation of `userBalances` is not performed. ```solidity function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; emit Liked(msg.sender, liked); // Check if mutual like if (likes[liked][msg.sender]) { matches[msg.sender].push(liked); matches[liked].push(msg.sender); emit Matched(msg.sender, liked); matchRewards(liked, msg.sender); } } ``` This will result in `totalRewards` always being 0, affecting all subsequent calculations: ```solidity uint256 totalRewards = matchUserOne + matchUserTwo; uint256 matchingFees = (totalRewards * FIXEDFEE ) / 100; uint256 rewards = totalRewards - matchingFees; totalFees += matchingFees; ``` ## POC ```solidity function testUserBalanceshouldIncreaseAfterLike() public { vm.prank(user1); likeRegistry.likeUser{value: 20 ether}(user2); assertEq(likeRegistry.userBalances(user1), 20 ether, "User1 balance should be 20 ether"); } ``` Then we will get an error: ```shell [FAIL: User1 balance should be 20 ether: 0 != 20000000000000000000] ``` ## Impact - Users will be unable to receive rewards. - The contract owner will also be unable to withdraw ETH from the contract. ## Recommendations Add processing for `userBalances` in the `likeUser` function: ```diff function likeUser( address liked ) external payable { require(msg.value >= 1 ether, "Must send at least 1 ETH"); require(!likes[msg.sender][liked], "Already liked"); require(msg.sender != liked, "Cannot like yourself"); require(profileNFT.profileToToken(msg.sender) != 0, "Must have a profile NFT"); require(profileNFT.profileToToken(liked) != 0, "Liked user must have a profile NFT"); likes[msg.sender][liked] = true; + userBalances[msg.sender] += msg.value; emit Liked(msg.sender, liked); [...] } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.