Anyone can send a message through the Soulmate::writeMessageInSharedSpace so the soulmates with the nft Id0 will have messages sent on his behalf or have override messages

• Description:

  • Anyone can call the function Soulmate::writeMessageInSharedSpace and override the message sent by the soulmate nft id0. Nevertheless, anyone can send an offensive message and cause a divorce leading to a loss of the airdrop rights. Considering the correction of "Soulmate being able to withdraw LoveToken from the period after divorce, leading to a loss of funds to protocol" finding, this can even be worse.

  • If an offensive message is sent through the breach, one of the soulmates sees, claims the withdrawal, and immediately gets divorced, the other soulmate will be directly private of his airdrop funds.

• Impact:

  • Malicious users can send an offensive message leading to a divorce and loss of LoveTokens.

• Proof of Code:

  See the code below. PS: This code is already in your test suit

  function test_WriteAndReadSharedSpace() public {

  vm.prank(soulmate1);

  soulmateContract.writeMessageInSharedSpace("Buy some eggs");

  ​

  vm.prank(soulmate2);

  string memory message = soulmateContract.readMessageInSharedSpace();

  ​

  string[4] memory possibleText = [

  "Buy some eggs, sweetheart",

  "Buy some eggs, darling",

  "Buy some eggs, my dear",

  "Buy some eggs, honey"

  ];

  bool found;

  for (uint i; i < possibleText.length; i++) {

  if (compare(possibleText[i], message)) {

  found = true;

  break;

  }

  }

  console2.log(message);

  assertTrue(found);

  }

  ​

• Recommendation:

• Add a checker in the function. See the example below.

  See the code suggestion below.

  function writeMessageInSharedSpace(string calldata message) external {

  + if(soulmateOf[msg.sender] == address(0)) revert Soulmate__OnlyLoversCanSendMessages();

  uint256 id = ownerToId[msg.sender];

  sharedSpace[id] = message;

  emit MessageWrittenInSharedSpace(id, message);

  }