Any number of users can call the Airdrop::claim
function and receive tokens that were meant for the owner of the soul mate token id 0.
When calling Airdrop::claim
it checks if the caller is the owner of a soulmate token in the following fashion
In the Soulmate
contract this call will read from mapping(address owner => uint256 id) public ownerToId;
which for users that have not minted a soulmate token will return 0. This makes it so that numberOfDaysInCouple
will always correspond to the number of days that the owner of the soul mate token id 0 has been in a couple.
Add the following test to BaseTest.t.sol
and run forge test --mt test_user_can_claim_airdrop_from_id_0
An attacker can drain the Airdrop
Vault of love tokens by repeatedly calling Aidrop::claim
with different addresses.
Foundry
Change Soulmate.sol
so that the token id starts with id 1 instead of 0, and add a check in Airdrop.sol
so that the return of 0 in ownerToId
is invalid.
In Soulmate.sol
In Airdrop.sol
High severity, This issue is separated from the flawed `isDivorced()` check presented in issue #168 as even if that is fixed, if ownership is not checked, isDivorced would still default to false and allow bypass to claim airdrops by posing as tokenId 0 in turn resulting in this [important check for token claim is bypassed.](https://github.com/Cyfrin/2024-02-soulmate/blob/b3f9227942ffd5c443ce6bccaa980fea0304c38f/src/Airdrop.sol#L61-L66). #220 is the most comprehensive issue as it correctly recognizes both issues existing within the same function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.